SB2026070281 - Ubuntu update for linux



SB2026070281 - Ubuntu update for linux

Published: July 2, 2026

Security Bulletin ID SB2026070281
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 237
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 16% Low 84%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 237 vulnerabilities.


1) Observable discrepancy (CVE-ID: CVE-2025-54505)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to transient execution in floating-point divisor unit when executing floating-point operations in privileged code. A local user can sample data from the floating-point divisor unit to disclose sensitive information.

The issue affects systems with SMT enabled as well as systems without SMT.


2) Incorrect Conversion between Numeric Types (CVE-ID: CVE-2026-52933)

CWE-ID: CWE-681 - Incorrect Conversion between Numeric Types

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper type conversion in io_poll_get_ownership() in io_uring/poll.c when handling poll ownership checks. A local user can trigger the affected code path to cause a denial of service.


3) Out-of-bounds read (CVE-ID: CVE-2026-52907)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the rkcif MIPI register access logic when handling crafted index values. A local user can trigger the off-by-one condition to cause a denial of service.


4) Improper access control (CVE-ID: CVE-2026-52906)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass privileged file operations on a mounted 9p filesystem.

The vulnerability exists due to improper access control in v9fs_apply_options() and v9fs_fid_lookup() when processing mount access mode options. A local user can mount the filesystem with the "access=user" option to cause fid lookups to use INVALID_UID instead of current_fsuid().

This issue affects 9P2000.L mounts because conflicting access mode bits can be set at the same time, causing access mode checks to match neither mode.


5) Improper input validation (CVE-ID: CVE-2026-52905)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in damon_start() in the DAMON core when processing a min_region_sz value that is not a power of two. A local user can provide a crafted min_region_sz value to cause a denial of service.

The issue affects the DAMON sysfs interface.


6) Improper resource shutdown or release (CVE-ID: CVE-2026-52904)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in nouveau_drm_probe() when handling a probe failure after removing conflicting PCI devices. A local user can trigger aperture_remove_conflicting_pci_devices() failure during device probe to cause a denial of service.


7) Stack-based buffer overflow (CVE-ID: CVE-2026-46332)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in cc1352_bootloader_rx() in drivers/greybus/gb-beagleplay.c when processing bootloader receive chunks. A local attacker can send oversized input to overflow the receive buffer and cause a denial of service.


8) Double free (CVE-ID: CVE-2026-46316)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in vgic_its_invalidate_cache() in the KVM arm64 vgic-its translation cache when invalidating cache entries concurrently. A local user can trigger concurrent cache invalidation paths to cause a denial of service.

The issue occurs because multiple contexts can drain the same cache at the same time, allowing an entry to be freed while an ITE still maps it.


9) Out-of-bounds write (CVE-ID: CVE-2026-46289)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in extract_kvec_to_sg in lib/scatterlist.c when extracting a kvec into a scatterlist. A local user can trigger the function with crafted kvec data to cause a denial of service.


10) Use-after-free (CVE-ID: CVE-2026-46288)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to use-after-free in of_unittest_changeset() when handling device tree unittest changeset nodes. A local attacker can trigger access to a freed struct device_node to cause a denial of service.

The issue occurs because a reference-counted node is released and then later accessed through another pointer that refers to the same object.


11) Improper locking (CVE-ID: CVE-2026-46287)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to cause a denial of service.

The vulnerability exists due to improper locking in txgbe_remove_phy in the txgbe driver when removing the module for a copper NIC with an external PHY. A local privileged user can remove the txgbe module to cause a denial of service.

The issue is triggered during module removal and results in an RTNL assertion warning in phylink_disconnect_phy().


12) Out-of-bounds read (CVE-ID: CVE-2026-46286)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the qcom lpg pwm state handling code when processing high resolution clock selection values from a register. A local user can trigger an invalid array index to cause a denial of service.


13) Use-after-free (CVE-ID: CVE-2026-46285)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in docg3_release() in the docg3 driver when releasing a platform device. A local user can trigger the release of a crafted device state to cause a denial of service.


14) NULL pointer dereference (CVE-ID: CVE-2026-46284)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in hugetlb_add_param() in mm/hugetlb.c when parsing kernel command-line parameters without an '=' separator. A local attacker can supply a crafted kernel command-line parameter to cause a denial of service.

The issue can crash the system during early boot when hugepages, hugepagesz, or default_hugepagesz are specified without a value separator.


15) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-46283)

CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to missing sensitive data clearing in tpm_dev_release() when releasing a TPM device. A local user can trigger device teardown to disclose sensitive information.

The freed structure may contain HMAC session keys, nonces, and passphrase data.


16) NULL pointer dereference (CVE-ID: CVE-2026-46282)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the admv1013 driver property parsing logic when reading device properties during device initialization. A local user can provide crafted property values or trigger property read failures to cause a denial of service.

The issue occurs because a failed string property read leaves a string pointer uninitialized before it is compared.


17) Out-of-bounds write (CVE-ID: CVE-2026-46281)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in vrealloc_node_align_noprof() when reallocating and shrinking an existing vmalloc allocation that requires a new allocation. A local user can trigger the vulnerable reallocation path to cause a denial of service.

The issue occurs when the existing pointer is on the wrong NUMA node or does not satisfy an alignment constraint, causing data from the old allocation to be copied into a smaller new buffer.


18) Use-after-free (CVE-ID: CVE-2026-46280)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in dmirror_devmem_fault() and dmirror_fops_release() in lib/test_hmm.c when handling faults on stale device private pages after file close. A local user can trigger a subsequent fault on those pages to cause a denial of service.

This issue was observed when a test failure triggered a coredump that walked VMAs and faulted in stale device private pages.


19) Use of Uninitialized Variable (CVE-ID: CVE-2026-46279)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to uninitialized codetag references in page allocation tagging when freeing pages that were allocated before page_ext initialization. A local user can trigger kernel memory allocation and free activity to cause a denial of service.

This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG enabled and mem_profiling_compressed disabled.


20) NULL pointer dereference (CVE-ID: CVE-2026-46278)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the pvr_fw_trace_mask_set debugfs handler when handling writes to the trace_mask debugfs entry. A local user can write to the debugfs file to cause a denial of service.

The issue is reachable through the powervr driver's debugfs interface.


21) Use-after-free (CVE-ID: CVE-2026-46277)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in free_zone_device_folio() in mm/memremap.c when freeing a device folio through the zone device memory path. A local user can trigger reuse of the folio after ->folio_free() and cause a denial of service.


22) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46276)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of zero-size resource initialization in amdgpu_ttm_init_on_chip() when initializing on-chip memory resources during amdgpu module loading on RDNA4 hardware. A local user can trigger initialization of the amdgpu driver on affected hardware to cause a denial of service.

The issue occurs only on RDNA4 hardware where the GDS, GWS, and OA on-chip memory resources are absent, and the crash is observed when CONFIG_DRM_DEBUG_MM is enabled.


23) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


24) Improper input validation (CVE-ID: CVE-2026-46243)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.

The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.


25) Integer overflow (CVE-ID: CVE-2026-46195)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer overflow in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl() when processing a server-supplied security descriptor with a crafted dacloffset value. A remote attacker can return a malicious security descriptor to trigger pointer wraparound and cause a denial of service.

The issue affects 32-bit builds and can be reached through the chmod/chown rewrite paths.


26) Out-of-bounds read (CVE-ID: CVE-2026-46185)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in symlink_data() when processing an SMB2 symlink error response. A remote attacker can send a specially crafted SMB2 response to disclose sensitive information.

The issue can occur when the response buffer is shorter than the expected SMB2 error response structure.


27) Out-of-bounds read (CVE-ID: CVE-2026-46155)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in smb2_compound_op() when processing a crafted SMB server response. A remote attacker can send a truncated response with a large OutputBufferLength and an early-terminated EA list to disclose sensitive information.


28) Race condition (CVE-ID: CVE-2026-46137)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in mptcp_pm_add_timer() when handling ADD_ADDR retransmission timer callbacks. A local user can trigger concurrent access to cause a denial of service.


29) Race condition (CVE-ID: CVE-2026-46135)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.

The issue can lead to a second kref_put() being issued on an already released queue.


30) Out-of-bounds read (CVE-ID: CVE-2026-46119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.

The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.


31) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46115)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of dev_pagemap boundaries in biovec_phys_mergeable() when coalescing physically contiguous bvec segments. A local user can trigger merging of segments from different dev_pagemaps to cause a denial of service.

The issue occurs when a bio contains bvecs from different dev_pagemaps that are physically contiguous.


32) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46103)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource lifetime management in the ucan USB driver control message buffer when drivers are unbound without physical device disconnection. A local user can trigger driver unbind conditions to cause a denial of service.

This can occur during probe deferral or configuration changes.


33) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46102)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in strp_abort_strp() when aborting the stream parser after a message assembly timeout. A remote attacker can trigger repeated aborts with partially assembled messages to cause a denial of service.

The issue leaks a reference to a partially assembled message held in strp->skb_head.


34) Improper input validation (CVE-ID: CVE-2026-46101)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nft_bitwise when initializing left and right shift expressions with a zero shift operand. A local user can create a malformed rule to cause a denial of service.

The issue is triggered in the control plane before malformed rules reach the packet path.


35) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46100)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper reference count management in the afs mmap handling code when preparing memory mappings. A local user can trigger memory mapping operations to cause a denial of service.

The issue can occur if a merge or allocation failure happens after the preparation step, leading to a leaked reference count increment.


36) Use-after-free (CVE-ID: CVE-2026-46099)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in seg6 and rpl lwtunnels when processing IPv6 routing lookups and caching a NOREF destination entry. A local user can trigger a race condition to cause a denial of service.

Exploitation requires PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK and a concurrent task able to release a shared nexthop per-cpu route entry.


37) Use-after-free (CVE-ID: CVE-2026-46098)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a use-after-free in the caif client teardown logic when handling remote shutdown and subsequent socket destruction. A remote attacker can trigger repeated teardown to cause a denial of service.


38) Use-after-free (CVE-ID: CVE-2026-46097)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the edt-ft5x06 debugfs read functionality when accessing debugfs files during debugfs teardown. A local user can read a debugfs file after teardown begins to cause a denial of service.

The issue arises in a window where debugfs files remain accessible after raw_buffer has been freed.


39) Memory leak (CVE-ID: CVE-2026-46096)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in tpm2_read_public() when processing TPM2 public data. A local user can trigger the vulnerable code path to cause a denial of service.

The issue occurs because allocated buffer memory is not released on certain exit paths, including a successful return and an error return after an unrecognized hash algorithm.


40) Race condition (CVE-ID: CVE-2026-46095)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in md-llbitmap when handling write or discard operations. A local user can trigger concurrent state transitions to cause a denial of service.


41) Out-of-bounds read (CVE-ID: CVE-2026-46094)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in check_xattrs() when processing crafted ext4 extended attribute entries. A local attacker can provide a malformed xattr layout to trigger a read beyond the valid xattr region to disclose sensitive information.


42) Race condition (CVE-ID: CVE-2026-46093)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in decay_va_pool_node() when the shrinker path runs concurrently with vmap area purging. A local user can trigger concurrent shrinker and purge activity to cause a denial of service.

The issue can also result in possible memory leaks.


43) NULL pointer dereference (CVE-ID: CVE-2026-46092)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of a NULL pointer in the rtw88 PCI probing routine when probing an 8821CE device on a root bus without an upstream PCI bridge. A local user can install or attach a device in a crafted PCI topology to cause a denial of service.

The issue is triggered only on systems where the 8821CE device is present on a root bus and no upstream PCI-to-PCI bridge exists.


44) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46091)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of dma coherency in igorplugusb when processing a usb control request. A local user can trigger a crafted interaction with the usb device to cause a denial of service.


45) Use-after-free (CVE-ID: CVE-2026-46090)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the ALSA aloop peer runtime handling when processing a format-change stop during concurrent stream operations. A local user can trigger concurrent playback start and capture close operations to cause a denial of service.

The issue occurs because a stale peer substream pointer may be used after the capture runtime is detached or freed.


46) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46089)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of partial discard requests in zram when processing discard operations. A local user can issue a partial discard request to cause a denial of service.

The issue can cause the calling process to sleep indefinitely in submit_bio_wait().


47) Improper input validation (CVE-ID: CVE-2026-46088)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an improper buffer length validation in snd_ctl_elem_init_enum_names() when parsing enumeration names from a buffer. A local user can provide a crafted buffer with insufficient remaining length to trigger a kernel panic.

The issue is triggered on systems using CONFIG_FORTIFY_SOURCE where fortified strnlen() checks the remaining object size before the return value is examined.


48) Memory leak (CVE-ID: CVE-2026-46087)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in damon_stat_start() when handling a damon_start() failure. A local user can trigger a damon_start() failure to cause a denial of service.

The issue leaves a stale global pointer that can be overwritten on a subsequent enable attempt, making the original allocation permanently unreachable.


49) NULL pointer dereference (CVE-ID: CVE-2026-46086)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in br_fdb_fillbuf() when reading bridge forwarding database entries through the brforward_read() sysfs path during a concurrent local FDB update. A local user can trigger concurrent access to cause a denial of service.

The issue arises because RCU readers can observe inconsistent values of f->dst across a check and a later dereference.


50) Improper input validation (CVE-ID: CVE-2026-46085)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the rxkad crypto handling in rxrpc when processing a packet with a misaligned crypto length. A remote attacker can send a specially crafted packet to cause a denial of service.


51) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46084)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown in RSS queue pair destruction in mana_ib when destroying an RSS queue pair while traffic continues to arrive and the VF interface is subsequently brought up. A local user can destroy an RSS queue pair and trigger interface reinitialization while traffic is still being received to cause a denial of service.

The issue involves stale vPort RX steering configuration in firmware that can direct RX completions to reused TX completion queues.


52) Improper resource shutdown or release (CVE-ID: CVE-2026-46083)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in spi device setup when registering a device after spi_setup() fails. A local user can trigger device setup failure to cause a denial of service.


53) Improper handling of exceptional conditions (CVE-ID: CVE-2026-46082)

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper exception handling in KVM SVM instruction emulation when processing the INVLPGA instruction with EFER.SVME cleared. A local user can execute the INVLPGA instruction in a guest context to cause a denial of service.


54) Type Confusion (CVE-ID: CVE-2026-46081)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to memory corruption in acomp_reqchain_done() when processing asynchronous compression request completion for requests using the DMA virtual address interface. A local user can trigger an asynchronous compression request through a hardware implementation such as the QAT driver to cause a denial of service.

The issue is triggered when the request follows the acomp_do_req_chain() path and the asynchronous completion callback receives a pointer to the chain member instead of the request structure.


55) Resource exhaustion (CVE-ID: CVE-2026-46080)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in ocfs2 direct I/O completion handling when processing direct I/O write completion. A local user can trigger direct I/O operations that exhaust journal transaction credits to cause a denial of service.

A crash during extent tree updates may leave stale blocks beyond EOF.


56) Double free (CVE-ID: CVE-2026-46079)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in the rbd device add error-handling path when handling a failure after device_add() succeeds but device_add_disk() fails. A local user can trigger the vulnerable teardown sequence by writing to /sys/bus/rbd/add_single_major to cause a denial of service.

Exploitation was reproduced when fault injection was confined to the __add_disk() range.


57) Out-of-bounds read (CVE-ID: CVE-2026-46078)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the EROFS directory entry handling code when parsing a crafted EROFS image with a trailing directory entry containing an invalid name offset. A local user can provide a specially crafted EROFS image to disclose sensitive information.

The issue occurs because an unchecked name offset can cause an underflow in the length calculation used by strnlen(), leading to a read past the directory block.


58) Improper synchronization (CVE-ID: CVE-2026-46077)

CWE-ID: CWE-662 - Improper Synchronization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper synchronization in atmel-tdes DMA output handling when processing cryptographic operations. A local user can trigger DMA output processing to disclose sensitive information.

This can result in stale cache data being returned on non-coherent platforms.


59) Improper access control (CVE-ID: CVE-2026-46076)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass hypercall interception controls.

The vulnerability exists due to improper access control in KVM nested SVM handling when processing VMMCALL from an L2 guest. A remote user can invoke an unhandled VMMCALL to bypass hypercall interception controls.

Exploitation requires an active nested virtualization scenario where L2 is running, L1 does not intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is not one of the supported Hyper-V hypercalls.


60) Use-after-free (CVE-ID: CVE-2026-46075)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the atmel-sha204a remove path when handling device removal with queued hwrng read callbacks. A local user can trigger access to the device during removal to cause a denial of service.


61) Use-after-free (CVE-ID: CVE-2026-46074)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the ch341 spi driver when handling device probe failures and disconnect events. A local user can trigger crafted device interactions to cause a denial of service.

Exploitation requires local access to attach or interact with the affected USB device.


62) Out-of-bounds read (CVE-ID: CVE-2026-46073)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the powerz hwmon driver when handling a signal interruption during USB transfer completion. A local user can trigger a signal interruption and cause the driver to read from an unfilled transfer buffer to disclose sensitive information.


63) Out-of-bounds read (CVE-ID: CVE-2026-46072)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in run_unpack() when mounting a crafted NTFS image with truncated run data in an MFT attribute. A local user can mount a specially crafted NTFS image to disclose sensitive information.


64) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46071)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in nested_svm_vmexit() and vmcb12 handling when copying last branch records. A local user can trigger a nested SVM VM exit to cause a denial of service.

The issue affects nested virtualization on AMD SVM.


65) Out-of-bounds read (CVE-ID: CVE-2026-46070)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() when processing corrupted journal metadata blocks. A local user can provide a corrupted journal with payload size fields that extend beyond the metadata block boundary to disclose sensitive information.


66) Use-after-free (CVE-ID: CVE-2026-46069)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in mwifiex_adapter_cleanup() when cleaning up the adapter while the wakeup timer callback is still executing. A local user can trigger device removal during this race condition to cause a denial of service.


67) Memory leak (CVE-ID: CVE-2026-46068)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory management in nx842 crypto context handling when allocating or freeing bounce buffers. A local user can trigger the vulnerable code path to cause a denial of service.


68) Out-of-bounds read (CVE-ID: CVE-2026-46067)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds memory access in the DAMON core when processing a user-supplied damos_quota_goal->nid value for node_memcg_used_bp or node_memcg_free_bp. A local user can supply an invalid node id to trigger out-of-bounds memory access and cause a denial of service.

Exploitation requires access to the DAMON user-space interface.


69) Off-by-one (CVE-ID: CVE-2026-46066)

CWE-ID: CWE-193 - Off-by-one Error

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an off-by-one error in ceph_process_folio_batch() when handling encrypted CephFS writeback after bounce buffer allocation failure. A local user can write to fscrypt-enabled CephFS files under memory pressure to trigger a kernel panic and cause a denial of service.

The issue is triggered when processing a 4KiB-written/4KiB-skipped pattern and the failed folio is not contiguous with the last folio already added to the batch.


70) Use-after-free (CVE-ID: CVE-2026-46065)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in fbdev deferred I/O handling when accessing a memory mapping after device hot-unplug. A local user can keep an active mapping of graphics memory and access it after hot-unplug to cause a denial of service.

Access to the invalidated mapping may result in a SIGBUS signal.


71) Out-of-bounds read (CVE-ID: CVE-2026-46064)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to disclose sensitive information.

The vulnerability exists due to a heap-based buffer over-read in ibmasm_send_i2o_message() when processing a crafted dot command header from a user-supplied buffer. A local privileged user can supply a small buffer with inflated header fields to disclose sensitive information.

The over-read data is forwarded to the service processor over MMIO.


72) Deadlock (CVE-ID: CVE-2026-46063)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in shadow stack signal frame handling during sigreturn when reading the shadow stack signal frame from userspace. A local user can trigger a page fault during sigreturn to cause a denial of service.

The issue can occur when a writer on another CPU is waiting on the mmap lock, leading to a deadlock in the fault handling path.


73) Integer overflow (CVE-ID: CVE-2026-46062)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in run_unpack() when processing crafted ntfs metadata. A local user can provide a specially crafted ntfs image to trigger the overflow and cause a denial of service.

The issue was found by fuzzing.


74) Deadlock (CVE-ID: CVE-2026-46061)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a deadlock condition in jbd2_journal_cancel_revoke() when handling filesystem operations on filesystems with a block size smaller than the page size. A local user can trigger the deadlock to cause a denial of service.

The issue can cause the system to hang.


75) Improper resource shutdown or release (CVE-ID: CVE-2026-46060)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown in IRQ handler cleanup in the qat driver when handling a device probe failure after partial initialization. A local user can trigger a probe failure after adf_dev_up() partially completes to cause a denial of service.

The issue occurs because IRQ handlers can remain attached while MSI-X vectors are released during devres cleanup.


76) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46059)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in KVM nSVM nested virtualization handling when processing save and restore of an L2 guest after the first nested VMRUN. A local user can trigger a nested guest state transition to cause a denial of service.

The issue occurs for guests with NRIPS disabled.


77) Use-after-free (CVE-ID: CVE-2026-46058)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition leading to use-after-free in the amphion vpu driver m2m handling when releasing and scheduling the same m2m context concurrently. A local user can trigger concurrent job abort and device run operations to cause a denial of service.

The issue can result in a kernel panic due to a read from freed memory.


78) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46057)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause unexpected audit records.

The vulnerability exists due to improper state management in the Landlock credential blob handling across fork() when transferring credentials for a child process after muting subdomain logs without creating a domain. A local user can fork a process with crafted Landlock credential state to cause unexpected audit records.

The issue occurs when LOG_SUBDOMAINS_OFF is set through the ruleset_fd=-1 path, which commits the field without creating a Landlock domain.


79) Use-after-free (CVE-ID: CVE-2026-46056)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in SSP passkey handlers when handling Bluetooth SSP passkey and keypress notification events. A local user can trigger concurrent connection teardown during event processing to cause a denial of service.


80) Improper access control (CVE-ID: CVE-2026-46054)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass SELinux access controls.

The vulnerability exists due to improper access control in SELinux overlayfs mmap() and mprotect() access checks when handling mmap() and mprotect() operations on overlayfs filesystems. A local user can map or change protections on an overlayfs file to bypass SELinux access controls.


81) Double free (CVE-ID: CVE-2026-46053)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in __rds_rdma_map() when copying the generated cookie back to user space. A local user can trigger a copy error after memory region registration succeeds to cause a denial of service.


82) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46052)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of negative dentries in fs/ceph/dir.c when processing Ceph lookup or atomic_open operations with reused cached negative dentries. A local user can trigger lookup paths that call d_add() on an already-hashed negative dentry to cause a denial of service.

The issue can corrupt the dcache hash bucket, potentially creating a self-loop that causes __d_lookup() to spin forever and trigger RCU stall reports.


83) Improper locking (CVE-ID: CVE-2026-46051)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in retry_aligned_read() when processing overlapped stripes. A local user can trigger overlapped stripe handling to cause a denial of service.


84) Integer underflow (CVE-ID: CVE-2026-46050)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer underflow in the md/raid10 request handling logic when processing nowait I/O requests during an array check operation. A local user can issue nowait I/O on the same array while a check operation is running to cause a denial of service.

The issue can cause the md resync thread and other requests to become stuck waiting on the barrier state.


85) Improper Initialization (CVE-ID: CVE-2026-46049)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in spdif_passthru_playback_get_resources() when handling S/PDIF passthrough playback setup for 32000 Hz. A local user can trigger audio playback setup to cause a denial of service.

The issue can cause the calculation loop to spin indefinitely because the PLL rate remains 0 after card initialization.


86) Use-after-free (CVE-ID: CVE-2026-46047)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the qrtr namespace remove callback when handling packets during driver removal. A local user can trigger packet delivery during driver removal to cause a denial of service.

The issue occurs in a race window after the workqueue is destroyed and before the socket is released.


87) Improper resource shutdown or release (CVE-ID: CVE-2026-46046)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in ext4_xattr_inode_dec_ref_all() when decrementing extended attribute inode references. A local user can trigger the vulnerable code path to cause a denial of service.

The issue occurs because a buffer head obtained through ext4_get_inode_loc() is not released with brelse(), resulting in a refcount leak when block_csum is false.


88) Improper access control (CVE-ID: CVE-2026-46045)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause data corruption.

The vulnerability exists due to improper access control in md-llbitmap when reading bitmap pages from member disks. A local user can cause the system to read bitmap data from a spare disk that is still being rebuilt to cause data corruption.

The issue occurs because disks that are not fully synchronized may be treated as valid bitmap sources.


89) Improper resource shutdown or release (CVE-ID: CVE-2026-46044)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown in the ssif kthread cleanup logic when handling error conditions after creating the ssif kthread but before starting the ssif interface. A local user can trigger an error condition during ssif interface initialization to cause a denial of service.


90) Integer underflow (CVE-ID: CVE-2026-46043)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.

The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.


91) Memory leak (CVE-ID: CVE-2026-46042)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in weighted_interleave_auto_store() when processing writes that toggle weighted interleave mode. A local user can repeatedly write crafted values such as "1" to trigger memory leaks and cause a denial of service.

The issue can be triggered repeatedly by writing values that match or change the current mode, leading to leaked kernel memory.


92) Improper locking (CVE-ID: CVE-2026-46041)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock handling in hdlc_tx_frames() and hdlc_append() when processing frames for transmission. A local user can trigger transmission of frames to cause a denial of service.

The issue can trigger a "BUG: scheduling while atomic" condition.


93) Improper resource shutdown or release (CVE-ID: CVE-2026-46040)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in inotify_new_watch() when handling a failure from fsnotify_add_inode_mark_locked(). A local user can repeatedly trigger watch creation failures to cause a denial of service.

The issue can exhaust the max_user_watches limit with -ENOSPC even when no watches are active.


94) Integer overflow (CVE-ID: CVE-2026-46039)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in rxgk_extract_token() when parsing the length of the ticket. A local user can supply specially crafted input to trigger the integer overflow and cause a denial of service.


95) Memory leak (CVE-ID: CVE-2026-46038)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in ctrl_cmd_bye() when processing a BYE packet from a node. A remote attacker can send a BYE packet to trigger a memory leak and cause a denial of service.


96) Out-of-bounds read (CVE-ID: CVE-2026-46037)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the ipv4 icmp reply handling logic when processing extended echo replies. A remote attacker can send a specially crafted icmp packet to cause a denial of service.


97) Use-after-free (CVE-ID: CVE-2026-46036)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in vfio_cdx_set_msi_trigger() and the cdx_irqs array when handling concurrent VFIO_DEVICE_SET_IRQS ioctls. A local user can issue concurrent ioctl calls to trigger a use-after-free and cause a denial of service.

The issue occurs because one caller can observe config_msi as set while another caller clears it and frees the associated IRQ array.


98) Improper locking (CVE-ID: CVE-2026-46035)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper lock handling in alloc_frozen_pages_nolock() when it is invoked from nmi context on uniprocessor kernels. A local attacker can trigger re-entry into rmqueue() to corrupt the freelists and cause a denial of service.

Only uniprocessor kernels are affected, and the issue is triggered when the function is called from nmi context.


99) NULL pointer dereference (CVE-ID: CVE-2026-46034)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in vfio_cdx_set_msi_trigger() when handling VFIO_DEVICE_SET_IRQS requests with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE before interrupts are configured through the EVENTFD path. A local user can call VFIO_DEVICE_SET_IRQS with those flags before setting up interrupts to cause a denial of service.


100) Out-of-bounds read (CVE-ID: CVE-2026-46033)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds access in the authencesn ESN encrypt/decrypt paths when handling AF_ALG requests with a too-short authentication tag inherited from an ahash digest size of 1 to 3 bytes. A local user can select an ahash with a digest size of 1 to 3 bytes and trigger ESN tail handling to cause a denial of service.


101) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46032)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper error handling in nested_svm_vmexit() in KVM nSVM when handling a nested #VMEXIT after a failure to restore the host CR3. A local user can trigger a failure while loading L1's CR3 to cause a denial of service.

The issue can leave the guest running with corrupted state after the error is ignored.


102) Improper locking (CVE-ID: CVE-2026-46031)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock handling in ks8851_irq() when processing interrupts while transmit softirq processing is triggered during critical sections. A local user can trigger network activity that causes the driver to re-enter the transmit path and deadlock the kernel.

The issue occurs in the ks8851 driver and results in a deadlock involving ks8851_start_xmit_par() while the driver lock is already held.


103) Memory leak (CVE-ID: CVE-2026-46030)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in mc_probe() when parsing a phandle with of_parse_phandle(). A local user can trigger the vulnerable code path to cause a denial of service.


104) Improper locking (CVE-ID: CVE-2026-46029)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper lock handling in kmalloc_nolock() when being invoked from nmi context on a uniprocessor kernel. A local attacker can trigger re-entry into the slab allocator to cause a denial of service.

On uniprocessor kernels, spin_trylock() unconditionally succeeds even if the lock is already held, which can corrupt slab state.


105) Race condition (CVE-ID: CVE-2026-46028)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.

The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.


106) Improper Initialization (CVE-ID: CVE-2026-46027)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access to uninitialized state in smc_clc_wait_msg() when handling a CLC decline during an early handshake stage before link group association. A remote attacker can send a specially crafted decline message to cause a denial of service.

The issue occurs for first-contact declines received before link group setup has completed.


107) Improper input validation (CVE-ID: CVE-2026-46026)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the qrtr nameserver lookup handling when processing NEW_LOOKUP messages over the same socket. A local user can send a flood of NEW_LOOKUP messages to cause a denial of service.

The issue is limited to local clients.


108) Race condition (CVE-ID: CVE-2026-46025)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in damon_call() when registering requests during kdamond termination. A local user can trigger concurrent DAMON API activity to cause a denial of service.

Requests using repeat mode do not block, but memory can be leaked if dealloc_on_cancel is also set.


109) NULL pointer dereference (CVE-ID: CVE-2026-46024)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in ceph_handle_auth_reply() when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to cause a denial of service.

The issue is triggered when both the protocol and result fields in the message are zero.


110) Integer overflow (CVE-ID: CVE-2026-46023)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to integer overflow in create_dirty_log() when parsing a device mapper table string. A local user can supply a crafted param_count value to trigger out-of-bounds reads on the argv array to disclose sensitive information.


111) Out-of-bounds read (CVE-ID: CVE-2026-46022)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in ibmasm_handle_mouse_interrupt() when handling a mouse interrupt with out-of-range queue reader or writer indices from MMIO registers. A remote privileged user can write a crafted out-of-range value to the reader or writer MMIO register before asserting an interrupt to cause a denial of service.

For sufficiently large index values, the resulting MMIO access can fall outside the PCI BAR mapping and trigger a machine check exception.


112) Use-after-free (CVE-ID: CVE-2026-46021)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in thermal_set_governor() and thermal_zone_device_unregister() when handling concurrent governor updates via sysfs during thermal zone unregistration. A local user can trigger a governor update race to cause a denial of service.

The issue can occur if thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered.


113) Out-of-bounds read (CVE-ID: CVE-2026-46020)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to cause a denial of service.

The vulnerability exists due to out-of-bounds memory access in mm/damon/core when processing DAMON_SYSFS quota goal node identifiers for node_mem_used_bp and node_mem_free_bp. A local privileged user can set an arbitrary node id value via DAMON_SYSFS to cause a denial of service.

The issue can be triggered using the DAMON user-space tool.


114) Improper resource shutdown or release (CVE-ID: CVE-2026-46019)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in atmel_aes_buff_cleanup when cleaning up AES buffer allocations. A local user can trigger allocation and cleanup operations to cause a denial of service.


115) Improper input validation (CVE-ID: CVE-2026-46018)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper input validation in parse_uac2_sample_rate_range() when parsing a malformed uac2 range response from a usb audio device. A local attacker can provide a specially crafted uac2 range response to cause a denial of service.

The issue can trigger repeated kernel log messages while device probing still holds register_mutex.


116) NULL pointer dereference (CVE-ID: CVE-2026-46016)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the xlnx remoteproc receive callback when processing a received message. A local user can trigger the callback with a NULL message pointer to cause a denial of service.


117) Improper locking (CVE-ID: CVE-2026-46015)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper notification handling in inet_csk_listen_stop() when migrating an established child socket between listeners in the same SO_REUSEPORT group. A local user can trigger listener migration to cause poll()/epoll_wait() waiters and blocking accept() callers to remain asleep indefinitely.

Nonblocking accept() is not affected because it checks the accept queue directly.


118) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46014)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disrupt virtual machine state handling.

The vulnerability exists due to improper state management in KVM SVM LBR MSR save and restore handling when processing userspace MSR save and restore operations. A local user can trigger incorrect handling of LBR and debug control MSRs to disrupt virtual machine state handling.

Exploitation requires access to userspace interfaces that manage virtual CPU MSR state, and LBR-related behavior depends on LBR virtualization being enabled.


119) Improper input validation (CVE-ID: CVE-2026-46013)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in memfd_luo_retrieve_folios() cleanup path when processing folios during cleanup. A local user can trigger cleanup on crafted folio state to cause a denial of service.

The issue involves incorrect handling of raw PFN values during physical address restoration and missing checks for sparse file holes where pfn=0.


120) Improper resource shutdown or release (CVE-ID: CVE-2026-46012)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in rxkad_verify_response() when processing RxRPC authentication responses. A local user can trigger the vulnerable code path to cause a denial of service.


121) Use-after-free (CVE-ID: CVE-2026-46011)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the mtk_jpeg_release() release path when closing the device while queued or running jpeg work is still pending. A local user can close the device during JPEG encode or decode operations to cause a denial of service.

The issue is caused by a race condition between the release path and the workqueue callback.


122) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46010)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper error handling in rxgk_extract_token() when processing token data. A local user can trigger an -ENOMEM condition to cause a denial of service.


123) Improper resource shutdown or release (CVE-ID: CVE-2026-46009)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in the pci-epf-ntb endpoint function driver when handling link setup or teardown operations. A local user can trigger .allow_link failure or .drop_link handling to cause a denial of service.


124) Race condition (CVE-ID: CVE-2026-46008)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in damos_walk() and kdamond_fn() when handling request registration during DAMON context termination. A local user can trigger concurrent request handling and context shutdown to cause a denial of service.

The issue can cause the caller thread to wait indefinitely because a newly registered request may never be handled or cancelled.


125) Memory corruption (CVE-ID: CVE-2026-46007)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory buffer restrictions in the powerz hwmon driver DMA transfer buffer when performing DMA operations. A local user can trigger DMA activity to cause a denial of service.

The issue arises because the transfer buffer may share a cacheline with a following mutex on affected architectures.


126) Integer overflow (CVE-ID: CVE-2026-46006)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in nouveau_gem_pushbuf_reloc_apply() when validating relocation bounds checks. A local user can provide a crafted relocation offset to cause a denial of service.


127) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46005)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a resource leak in xfs_alloc_buftarg() when handling an error path. A local user can trigger the vulnerable error condition to cause a denial of service.


128) Use-after-free (CVE-ID: CVE-2026-46004)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the caiaq driver setup_card() error handling when probing the device. A local user can trigger a probe error to cause a denial of service.

The issue occurs because execution continues after freeing the sound card during certain error paths.


129) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-46003)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource allocation in the qrtr nameserver when handling node registration requests. A remote attacker can register random nodes to exhaust memory and cause a denial of service.


130) Improper input validation (CVE-ID: CVE-2026-46002)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in ext2_iget() when loading a crafted ext2 filesystem image containing an inode with zero i_nlink, non-zero i_mode, and zero i_dtime. A local user can mount or otherwise present a specially crafted filesystem image to trigger kernel warnings and cause a denial of service.

The issue is triggered when the malformed inode reaches VFS name operations such as unlink, rename, or rmdir.


131) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46001)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause incorrect processing of stale or incomplete data.

The vulnerability exists due to improper error handling in pt5161l_read_block_data() when handling block data reads with an unexpected length. A local attacker can cause a device to repeatedly return data with an unexpected length so the function returns a positive value and callers process stale or incomplete data.

The issue occurs when all three retries are exhausted and a positive byte count is returned instead of an error.


132) Stack-based buffer overflow (CVE-ID: CVE-2026-46001)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to a stack-based buffer overflow in pt5161l_read_block_data() when reading block data from an i2c device. A local attacker can cause a device to return more than 24 bytes to trigger a stack overrun and cause a denial of service.


133) Out-of-bounds read (CVE-ID: CVE-2026-45999)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in z_erofs_lz4_handle_overlap() when processing a crafted EROFS image during LZ4 inplace decompression. A local user can mount a crafted image and trigger decompression to disclose sensitive information.

The issue occurs for illegal extents where partial decoding is disabled and m_llen is smaller than m_plen, causing an unsigned underflow in the outpages minus inpages calculation.


134) Improper resource shutdown or release (CVE-ID: CVE-2026-45997)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in sd_probe() error handling when device_add(&disk_dev) fails. A local user can trigger a device addition failure to cause a denial of service.


135) Use-after-free (CVE-ID: CVE-2026-45996)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the spi: imx driver when unbinding the driver. A local user can trigger driver unbinding to cause a denial of service.


136) Use-after-free (CVE-ID: CVE-2026-45995)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in io_free_rbuf_ring() when freeing a provided buffer ring after io_zcrx_ifq_free() has released the associated user_struct. A local user can trigger the affected io_uring zcrx cleanup path to cause a denial of service.


137) Out-of-bounds read (CVE-ID: CVE-2026-45994)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in command_file_write() when processing a crafted dot command buffer. A local user can supply header fields that cause the declared command size to exceed the allocated buffer to disclose sensitive information.

Kernel heap memory may be leaked to the service processor through an out-of-bounds memcpy_toio() operation.


138) Heap-based buffer overflow (CVE-ID: CVE-2026-45991)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in part_descs_loc[] handling in handle_partition_descriptor() when mounting a crafted UDF image with repeated partition descriptors. A local user can supply a specially crafted UDF image to cause a denial of service.


139) Out-of-bounds write (CVE-ID: CVE-2026-45990)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in krealloc() and kvrealloc() fallback paths when shrinking an object while forcing a new alignment or NUMA migration. A local user can trigger a reallocation with crafted size and alignment parameters to cause a denial of service.

The issue can also result in zero-byte copying during NUMA migration in the reallocation path.


140) Use-after-free (CVE-ID: CVE-2026-45989)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in testdrv_probe() when processing a device node obtained from a PCI device after applying an overlay. A local user can trigger the vulnerable code path to cause a denial of service.


141) Improper Initialization (CVE-ID: CVE-2026-45988)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper state management in RxRPC packet processing when handling RESPONSE or CHALLENGE packets after a temporary processing failure. A remote attacker can send a sequence of crafted packets that trigger packet reprocessing to cause a denial of service.

The issue can occur when a packet is left in a partially decrypted state and then requeued for retry.


142) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45987)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state synchronization in nested SVM interrupt shadow handling when restoring nested virtual machine state. A local user can trigger restoration of nested state with KVM_SET_VCPU_EVENTS preceding KVM_SET_NESTED_STATE to cause a denial of service.

The issue affects L2 guests, where an incorrectly restored interrupt shadow can cause the vCPU to hang.


143) Memory leak (CVE-ID: CVE-2026-45986)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in cc_mac_digest() when handling a hash request finalization failure. A local user can trigger a failure condition to cause a denial of service.


144) Out-of-bounds write (CVE-ID: CVE-2026-43501)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in ipv6_rpl_srh_rcv() and skb_mac_header_rebuild() when processing a crafted IPv6 packet with a recompressed type-3 source routing header. A local user can send a specially crafted raw IPv6 packet to trigger an out-of-bounds write and cause a denial of service.

Exploitation requires the ability to send an AF_INET6 SOCK_RAW packet with IPV6_HDRINCL over the loopback interface.


145) Use-after-free (CVE-ID: CVE-2026-43499)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in remove_waiter() when rolling back a proxy lock from futex_requeue(). A local user can trigger the affected rtmutex slowlock and proxy-lock rollback path to cause a denial of service.

The issue can leave waiter task state uncleared and operate on the wrong top priority waiter task.


146) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43493)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of error conditions in the pcrypt crypto subsystem when processing MAY_BACKLOG requests. A local user can trigger requests that return EBUSY to cause a denial of service.


147) Improper input validation (CVE-ID: CVE-2026-43491)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the qrtr namespace service when handling NEW_SERVER messages. A remote attacker can send a flood of NEW_SERVER messages to cause a denial of service.

Exploitation can exhaust memory by registering excessive servers for a node.


148) Out-of-bounds read (CVE-ID: CVE-2026-43350)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in parse_dacl() when parsing ACE SIDs returned by an SMB server. A remote attacker can send a specially crafted ACE with a truncated NFS mode SID to disclose sensitive information.

The issue occurs because an ACE with only two subauthorities can still match the NFS mode SID pattern, leading to a read of sid.sub_auth[2] past the end of the ACE.


149) Use of Uninitialized Variable (CVE-ID: CVE-2026-43349)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to uninitialized memory access in f2fs_sanity_check_node_footer when processing a crafted f2fs filesystem image during mount or inode read operations. A local user can mount a specially crafted filesystem image to cause a denial of service.


150) Improper input validation (CVE-ID: CVE-2026-43348)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the mshv_vtl VTL0 memory registration logic when handling a crafted MSHV_ADD_VTL0_MEMORY request. A local user can register a sufficiently aligned memory range to cause a denial of service.

The issue is triggered when the computed vmemmap_shift exceeds MAX_FOLIO_ORDER, causing memremap_pages() to emit a warning and fail with -EINVAL.


151) Improper access control (CVE-ID: CVE-2026-43073)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access control in the __copy_user_nocache() function when performing kernel memory copies with a user-copy interface. A local user can trigger the vulnerable code path to cause a denial of service.

The issue arises from misuse of a function intended for specialized memory copying with exception handling for user space accesses.


152) Improper input validation (CVE-ID: CVE-2026-43072)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in vc4 drm driver interrupt handling when initializing platform interrupts by name. A local user can trigger an error condition that causes a negative IRQ value to be used to cause a denial of service.


153) Out-of-bounds read (CVE-ID: CVE-2026-43071)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in dentry_hashtable when processing lookups with dhash_entries set to 1. A local user can trigger filesystem lookup operations to cause a denial of service.

The issue occurs because a single hash bucket can cause an invalid shift calculation that leads to access of unallocated memory.


154) Use of Uninitialized Variable (CVE-ID: CVE-2026-43058)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to use of uninitialized memory in vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() when processing struct arguments passed by value. A local user can trigger the affected code path to disclose sensitive information.


155) Improper validation of integrity check value (CVE-ID: CVE-2026-31719)

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass integrity verification.

The vulnerability exists due to improper integrity check handling in krb5enc_dispatch_decrypt() when processing asynchronous decrypt operations. A local user can trigger asynchronous decryption completion to bypass integrity verification.


156) Use-after-free (CVE-ID: CVE-2026-31718)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to a use-after-free in __ksmbd_close_fd() when processing durable file handles that survive session disconnect and are later timed out by the durable scavenger. A remote user can trigger session disconnect without SMB2_LOGOFF and cause lock cleanup to access a freed connection object to cause a denial of service.

The issue occurs when a durable file handle is preserved for later reconnection and byte-range locks remain associated with the old connection.


157) Improper access control (CVE-ID: CVE-2026-31717)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote user to hijack an orphaned durable handle.

The vulnerability exists due to improper access control in durable handle reconnect validation in ksmbd when processing SMB2 durable handle reconnect requests. A remote user can predict or brute-force the persistent ID and reconnect to the orphaned handle to hijack an orphaned durable handle.

The issue occurs because the reconnecting user's security context is not verified against the original opener's identity.


158) Out-of-bounds write (CVE-ID: CVE-2026-31716)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in journal replay file record handling in fs/ntfs3 when processing a corrupted filesystem during journal replay. A local user can provide a crafted filesystem image with invalid file record metadata to cause a denial of service.

The issue occurs when the file record used size is smaller than a validated attribute offset or larger than the record size, causing length calculations for memmove operations to underflow.


159) Use-after-free (CVE-ID: CVE-2026-31715)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in f2fs_write_end_io() and f2fs_in_warm_node_list() when handling concurrent write completion and unmount operations. A local user can trigger the race condition to cause a denial of service.

The issue can lead to a NULL pointer dereference and kernel panic during processing of F2FS checkpoint data pages.


160) Improper resource shutdown or release (CVE-ID: CVE-2026-31714)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in f2fs_rename() when handling rename operations. A local user can trigger a memory leak by invoking crafted rename activity to cause a denial of service.


161) Improper locking (CVE-ID: CVE-2026-31713)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of a fatal signal in fuse sync initialization in the FUSE filesystem mount handling when initializing a FUSE filesystem with sync init while the server exits during FUSE_INIT processing. A local user can trigger a mount operation under these conditions to cause a denial of service.

The issue causes the filesystem creation to hang because the mounting thread keeps the device file descriptor open, preventing an abort from occurring.


162) Out-of-bounds read (CVE-ID: CVE-2026-31712)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in smb_check_perm_dacl() when processing a crafted DACL during SMB permission checks. A remote user can set a crafted ACL on a file they own and trigger a subsequent CREATE request to cause a denial of service.

The issue is reachable by an authenticated SMB client with permission to set an ACL on a file, and it is not pre-authentication. The out-of-bounds read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible.


163) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31711)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in ksmbd_tcp_new_connection() when handling TCP connections that trigger transport allocation failure. A remote attacker can hold open connections with large RFC1002 lengths to cause a denial of service.

The issue is reachable pre-authentication over TCP port 445, and repeated allocation failures can exhaust the connection slot counter until subsequent connection attempts are rejected for the remainder of the boot.


164) Improper Initialization (CVE-ID: CVE-2026-31710)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause incorrect path handling.

The vulnerability exists due to improper state management in cifs_mount_get_tcon() for SMB1 UNIX mounts when updating mount flags during mount processing. A local user can trigger the use of incorrect directory separators in paths to cause incorrect path handling.

The issue occurs when SMB1 UNIX mounts are used and the CIFS_MOUNT_POSIX_PATHS bit is missing from mnt_cifs_flags.


165) Out-of-bounds read (CVE-ID: CVE-2026-31709)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in cifsacl DACL rewrite helpers when processing a server-supplied truncated DACL. A remote attacker can send a malformed ACL response to cause a denial of service.

The issue occurs because the incoming DACL body and each ACE were not structurally validated before chmod/chown security descriptor rebuild paths walked the ACE list.


166) Out-of-bounds read (CVE-ID: CVE-2026-31708)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in smb2_ioctl_query_info() when processing a crafted QUERY_INFO response from an SMB server. A remote attacker can return a malformed response with an OutputBufferLength larger than the actual response buffer to disclose sensitive information.


167) Integer overflow (CVE-ID: CVE-2026-31707)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in ipc_validate_msg() when validating daemon response messages. A local user can supply a specially crafted daemon response with a wrapped size value to cause a denial of service.

The issue affects multiple response types, including RPC request, share config request, and extended login request handling, and negative ngroups values can influence size computation.


168) Improper input validation (CVE-ID: CVE-2026-31706)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in smb_inherit_dacl() when processing a tampered parent directory DACL xattr during SMB2 CREATE. A remote user can trigger inheritance of a crafted security.NTACL value to cause a denial of service.

Exploitation requires a parent directory security.NTACL xattr to be tampered while preserving the hash bytes so the xattr check passes.


169) Out-of-bounds write (CVE-ID: CVE-2026-31705)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in smb2_get_ea() when processing crafted QUERY_INFO compound requests. A remote user can send a specially crafted request to cause a denial of service.

The issue occurs when EA alignment padding is applied after an EA value exactly fills the remaining response buffer, causing 1 to 3 bytes to be written past the boundary into adjacent kernel heap memory.


170) Integer overflow (CVE-ID: CVE-2026-31704)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an integer overflow in set_posix_acl_entries_dacl() and set_ntacl_dacl() when processing files with many POSIX ACL entries. A local user can create a file with many POSIX ACL entries to cause memory corruption.

The accumulated DACL size can wrap past 65535, causing subsequent writes to overwrite earlier ACE entries and resulting in a truncated DACL size value.


171) Use-after-free (CVE-ID: CVE-2026-31703)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in inode_switch_wbs_work_fn() when processing queued writeback switching work items. A local user can trigger the vulnerable workqueue state to cause a denial of service.


172) Use-after-free (CVE-ID: CVE-2026-31702)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in f2fs_compress_write_end_io() when handling compressed writeback completion during a concurrent unmount. A local user can trigger the race condition to cause a denial of service.

The issue occurs in the compressed writeback completion path and requires a race with filesystem unmount activity.


173) Use-after-free (CVE-ID: CVE-2026-31701)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the ALSA caiaq driver card free callback when handling device teardown after a disconnect. A local user can trigger asynchronous cleanup after the USB device has been disconnected to cause a denial of service.

The issue occurs because the driver stores a pointer to the parent USB device without taking a reference, and the cleanup path may dereference the freed usb_device.


174) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31700)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass safety checks.

The vulnerability exists due to a time-of-check time-of-use race condition in tpacket_snd() when processing a mmap'd vnet_hdr in the TPACKET TX path with PACKET_VNET_HDR enabled. A local user can modify vnet_hdr fields in the shared ring buffer between validation and use to bypass safety checks.

Only the TPACKET TX path is affected.


175) Out-of-bounds read (CVE-ID: CVE-2026-31699)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.

The issue occurs when the firmware reports an invalid length for the requested blob.


176) Out-of-bounds read (CVE-ID: CVE-2026-31698)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.

The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.


177) Out-of-bounds read (CVE-ID: CVE-2026-31697)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.

The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.


178) Improper input validation (CVE-ID: CVE-2026-31696)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in rxrpc_preparse() when parsing non-XDR key payloads. A local user can provide a crafted key payload with an oversized ticket length to cause a denial of service.

The issue is triggered later when the key is read via rxrpc_read(), causing the token size calculation to exceed AFSTOKEN_LENGTH_MAX and hit a WARN_ON().


179) Heap-based buffer overflow (CVE-ID: CVE-2026-31694)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in fuse_add_dirent_to_cache() when processing directory entries returned by a FUSE server. A remote attacker can return a specially crafted directory entry with an oversized name length to cause a denial of service.

The issue occurs when a serialized directory entry exceeds a single page size and is copied into the readdir cache.


180) Double free (CVE-ID: CVE-2026-31686)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in kasan_free_pxd() when freeing kasan page table entries during memory unmapping. A local user can trigger the vulnerable code path to cause a denial of service.

The issue was observed on powerpc systems with 64K page size where PUD tables can be allocated from the pgtable-2^9 slab cache.


181) Use-after-free (CVE-ID: CVE-2026-31629)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() when handling sockets in the LLCP_CLOSED state. A local user can trigger the affected code path to cause a denial of service.


182) Information disclosure (CVE-ID: CVE-2026-31628)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to disclose sensitive information.

The vulnerability exists due to improper isolation of partial divider results in x86 CPU handling when executing division operations on Zen1 processors. A local attacker can run a thread that observes residual partial results from previous operations to disclose sensitive information.

Exploitation requires another thread to access leaked partial results left by a previous operation under certain circumstances.


183) Improper input validation (CVE-ID: CVE-2026-31627)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the s3c24xx i2c driver when processing SMBUS messages. A local user can provide a specially crafted SMBUS message with an invalid size field to cause a denial of service.


184) Use of Uninitialized Variable (CVE-ID: CVE-2026-31626)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use of uninitialized memory in rtw_BIP_verify() when processing BIP data. A local user can trigger the function with crafted input to cause a denial of service.


185) NULL pointer dereference (CVE-ID: CVE-2026-31625)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in alps_raw_event() when processing raw HID events. A local user can trigger the vulnerable code path to cause a denial of service.


186) Integer overflow (CVE-ID: CVE-2026-31624)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to an undefined shift caused by improper input validation in s32ton() when processing a malicious HID report descriptor during output report construction. A local attacker can supply a broken HID device with an oversized report_size field to cause a denial of service.

The issue is triggered when an output report is built via hid_output_field() or hid_set_field().


187) Out-of-bounds write (CVE-ID: CVE-2026-31623)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows an attacker with physical access to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in rx_complete() in the cdc-phonet driver when processing bulk transfers from a malicious USB device claiming to be a CDC Phonet modem. An attacker with physical access can send an unbounded sequence of full-page bulk transfers to cause a denial of service.


188) Heap-based buffer overflow (CVE-ID: CVE-2026-31622)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in digital_in_recv_sdd_res() when processing crafted NFC-A SDD and SEL responses from a peer device. A remote attacker can send crafted responses to cause a denial of service.

The issue occurs because the peer device can control the number of NFC-A anti-collision cascade rounds and the amount of data appended to target->nfcid1 on each round.


189) NULL pointer dereference (CVE-ID: CVE-2026-31621)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the bnge auxiliary device error-handling path when handling a failure from auxiliary_device_add(). A local user can trigger the error path to cause a denial of service.


190) NULL pointer dereference (CVE-ID: CVE-2026-31620)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows an attacker with physical access to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the usx2y us144mkii driver when processing a malicious USB device configuration descriptor that omits interface 0. An attacker with physical access can connect a specially crafted USB device with the TASCAM US-144MKII device id to cause a denial of service.


191) Out-of-bounds read (CVE-ID: CVE-2026-31619)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the efr_status_names[] string array lookup in the ALSA fireworks driver when processing a device-supplied EFW response status value. A local user can supply a crafted status value from a firewire device to cause a denial of service.


192) Division by zero (CVE-ID: CVE-2026-31618)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to divide-by-zero in the tdfxfb driver when handling FBIOPUT_VSCREENINFO requests. A local user can submit crafted screen information to trigger a kernel crash and cause a denial of service.


193) Integer underflow (CVE-ID: CVE-2026-31617)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows an attacker with physical access to disclose sensitive information.

The vulnerability exists due to an integer underflow in ncm_unwrap_ntb() in the f_ncm USB gadget component when processing a host-supplied NTB header. An attacker with physical access can provide a crafted NTB header with a too-small block length and out-of-bounds indexes to disclose sensitive information.

The issue can cause adjacent kernel memory to be copied into a network skb.


194) Out-of-bounds write (CVE-ID: CVE-2026-31616)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in pn_rx_complete() when processing an unbounded sequence of full-page USB OUT transfers. A remote attacker can send a crafted sequence of full-page USB OUT transfers to cause memory corruption.

The issue affects a Linux gadget exposing a Phonet function and occurs when each transfer is exactly PAGE_SIZE bytes, preventing the skb from being reset.


195) Improper input validation (CVE-ID: CVE-2026-31615)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in standard request handlers in the renesas_usb3 USB gadget driver when processing host-supplied standard USB requests. A remote attacker can send a specially crafted request with an invalid endpoint index to cause a denial of service.


196) Out-of-bounds read (CVE-ID: CVE-2026-31614)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in check_wsl_eas() when processing extended attribute data from an SMB server response. A remote attacker can send a specially crafted server response to disclose sensitive information.

The issue can leak up to 8 bytes of kernel heap memory and can influence which WSL xattr the data is interpreted as.


197) Out-of-bounds read (CVE-ID: CVE-2026-31613)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the SMB client symlink response parser when parsing a crafted symlink error response from an untrusted server. A remote attacker can send a specially crafted SMB response to disclose sensitive information.

The exposed heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2).


198) Out-of-bounds read (CVE-ID: CVE-2026-31612)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in smb2_get_ea() when handling crafted SMB2 extended attribute requests. A remote attacker can send a specially crafted request to disclose sensitive information.

Uninitialized heap values may be leaked to the client.


199) Out-of-bounds read (CVE-ID: CVE-2026-31611)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify file permissions.

The vulnerability exists due to an out-of-bounds read in parse_dacl() when processing a crafted security descriptor containing an ACE SID with only two sub-authorities that matches the sid_unix_NFS_mode prefix. A remote attacker can send a specially crafted security descriptor to modify file permissions.

The issue occurs when the crafted ACE is placed at the end of the security descriptor, causing 4 bytes past the end of the ACL to be read and masked into the low 9 bits as the file's POSIX mode.


200) Memory leak (CVE-ID: CVE-2026-31610)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a memory leak in smb2_sess_setup() SPNEGO negotiation handling when processing a malformed SPNEGO negotiation token. A remote attacker can send a specially crafted negotiation blob to cause a denial of service.

The issue is reachable pre-authentication, and malformed later elements in the same token can leave an allocated mechToken uncleared after both SPNEGO grammars fail.


201) Double free (CVE-ID: CVE-2026-31609)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in smbd_free_send_io() when processing SMB Direct send operations after batch flush handling. A local user can trigger the affected code path to cause a denial of service.


202) Double free (CVE-ID: CVE-2026-31608)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in smb_direct_free_sendmsg when freeing send messages after flushing the send list. A local user can trigger the affected code path to cause a denial of service.


203) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.

The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.


204) Use-after-free (CVE-ID: CVE-2026-31606)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the f_hid hid gadget character device handling when unbinding and binding the gadget while the /dev/hidg* device remains open. A local user can keep the device open and trigger unbind and bind operations to cause a denial of service.


205) Division by zero (CVE-ID: CVE-2026-31605)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to divide-by-zero in the udlfb driver when handling FBIOPUT_VSCREENINFO ioctl requests. A local user can submit crafted screen information values to trigger a kernel crash and cause a denial of service.


206) Memory leak (CVE-ID: CVE-2026-31604)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in the rtw88 USB driver probe path when handling device initialization failures. A local user can trigger a probe failure to cause a denial of service.


207) Division by zero (CVE-ID: CVE-2026-31603)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to division by zero in ps_to_hz() when handling a FBIOPUT_VSCREENINFO request with a zero pixclock value. A local user can supply crafted screen information to trigger a division by zero and cause a denial of service.


208) Out-of-bounds write (CVE-ID: CVE-2026-31602)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.

The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.


209) Improper Initialization (CVE-ID: CVE-2026-31601)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in xe_vfio_pci_core_device reset handling when issuing reset on VF devices that do not support migration. A local user can write to the reset sysfs attribute to cause a denial of service.


210) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-31600)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of invalid large leaf mappings in arm64 memory management code when processing invalid page table entries in the linear map. A local user can trigger access to memory backed by an invalid large leaf mapping to cause a denial of service.

The issue can result in a kernel panic during affected memory-mapping operations.


211) NULL pointer dereference (CVE-ID: CVE-2026-31599)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in vidtv_channel_pmt_match_sections when handling a memory allocation failure from vidtv_psi_pmt_stream_init. A local user can trigger the vulnerable code path to cause a denial of service.


212) Deadlock (CVE-ID: CVE-2026-31598)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an inconsistent lock ordering that can lead to deadlock in ocfs2 unlink and direct I/O write completion handling when concurrent unlink and dio_end_io_write operations are performed. A local user can trigger concurrent file operations to cause a denial of service.


213) Use-after-free (CVE-ID: CVE-2026-31597)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in ocfs2_fault() when handling a page fault that returns VM_FAULT_RETRY. A local user can trigger a concurrent munmap() during fault handling to cause a denial of service.


214) Improper input validation (CVE-ID: CVE-2026-31596)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in ocfs2_group_extend when handling a crafted filesystem through the resize ioctl. A local user can trigger the resize operation on a crafted filesystem image to cause a denial of service.

The issue occurs because an invalid global bitmap inode can reach the JBD2-managed buffer path and lead to a kernel BUG instead of a clean failure.


215) Race condition (CVE-ID: CVE-2026-31595)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the epf_ntb_cmd_handler work handler in pci-epf-vntb when cleaning up endpoint controller resources. A local user can trigger the vulnerable cleanup path to cause a denial of service.


216) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31594)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the pci-epf-vntb endpoint function driver when handling endpoint link setup or teardown failures. A local user can trigger link operations that cause duplicate resource teardown to cause a denial of service.

The issue can result in a kernel oops when .allow_link fails or when .drop_link is performed.


217) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-31593)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state validation in the KVM SEV VMSA synchronization logic when synchronizing vCPU state to an already-launched and encrypted vCPU. A local user can issue a crafted ioctl sequence to cause a denial of service.

On hosts with SNP enabled, accessing guest-private memory triggers an RMP page fault that panics the host. In SEV-ES environments without SNP, the issue may clobber guest state instead of panicking the host.


218) Improper locking (CVE-ID: CVE-2026-31592)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in sev_mem_enc_register_region() when handling KVM ioctls during SEV guest initialization failure paths. A local user can issue crafted ioctl calls to trigger a general protection fault and kernel crash.

The issue can occur if KVM_SEV_INIT{2} fails and KVM attempts to add to an uninitialized sev->regions_list.


219) Improper locking (CVE-ID: CVE-2026-31591)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in KVM SEV VMSA synchronization for SNP launch finish when synchronizing and encrypting VMSAs for SNP guests. A local user can manipulate or run a vCPU during synchronization to cause a denial of service.

The issue can corrupt vCPU state and may crash the host kernel.


220) Integer overflow (CVE-ID: CVE-2026-31590)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of an integer overflow condition in sev_pin_memory() when processing a KVM_MEMORY_ENCRYPT_REG_REGION ioctl request with a crafted size value. A local user can submit a specially crafted ioctl request to cause a kernel warning.

The issue is reachable from userspace through the KVM SEV memory encryption region registration interface.


221) Use-after-free (CVE-ID: CVE-2026-31589)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in folio_unmap_invalidate() when accessing mapping->a_ops after the folio has been removed from the mapping and the mapping can be removed. A local user can trigger the vulnerable code path to cause a denial of service.


222) Use-after-free (CVE-ID: CVE-2026-31588)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in complete_emulated_mmio() when servicing an emulated MMIO write that splits a page boundary across MMIO pages. A local user can trigger crafted KVM_RUN operations to cause a denial of service.

The issue occurs for write payloads of 8 bytes or less and is most visible when the second KVM_RUN is performed by a separate task.


223) Use-after-free (CVE-ID: CVE-2026-31587)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the q6apm ASoC component registration logic when unregistering dynamically registered dais from ASoC topology. A local user can trigger device unbind or removal conditions to cause a denial of service.


224) Use-after-free (CVE-ID: CVE-2026-31586)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.

The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().


225) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31585)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in vidtv_start_feed() when handling a start_streaming failure. A local user can trigger a start_streaming failure to cause a denial of service.

The issue can corrupt the nfeeds counter and may leave partially allocated mux and channel resources uncleared when the stop path returns early.


226) Use-after-free (CVE-ID: CVE-2026-31584)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in fops_vcodec_release() and the mtk_venc_worker workqueue handler when releasing an encoder context while queued or running encode work is still active. A local user can trigger the encoder release path during encode operations to cause a denial of service.

The issue is caused by a race condition between the release path and the workqueue lifecycle after the multimedia job is considered complete.


227) Use-after-free (CVE-ID: CVE-2026-31583)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a use-after-free in em28xx_v4l2_open() when opening a V4L2 device while racing with initialization error handling or device teardown. A local user can trigger concurrent operations to cause a denial of service or execute arbitrary code.

The race condition can also lead to a NULL pointer dereference.


228) Use-after-free (CVE-ID: CVE-2026-31582)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the powerz hwmon driver when handling a USB device disconnect followed by a read operation. A local user can disconnect the device and trigger a subsequent read to cause a denial of service.

The issue occurs after the freed URB pointer is dereferenced during device access after disconnection.


229) Use-after-free (CVE-ID: CVE-2026-31581)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in usb6fire_chip_abort() in the ALSA 6fire USB driver when handling device disconnect. A local user can trigger a device disconnect to cause a denial of service.

The issue occurs because the card private data may be freed synchronously when no file handles are open, after which the code accesses the freed chip structure.


230) Use-after-free (CVE-ID: CVE-2026-31580)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in cached_dev.sb_bio when handling superblock write completion while the device is being stopped. A local user can stop the device during a superblock write to cause a denial of service.


231) Improper locking (CVE-ID: CVE-2026-31579)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in wg_netns_pre_exit() when handling network namespace cleanup. A local user can trigger network namespace teardown while another thread holds rtnl_mutex to cause a denial of service.

The issue can cause the cleanup path to block indefinitely, resulting in a hung task.


232) Use-after-free (CVE-ID: CVE-2026-31578)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the as102_usb driver release path when handling a previously opened device file during device deregistration or disconnect. A local user can open the device node before deregistration and later close the file descriptor to cause a denial of service.

The issue can also result in a double free when the final open file descriptor is released after the device structure was already freed on the probe error path.


233) NULL pointer dereference (CVE-ID: CVE-2026-31577)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in nilfs_mdt_save_to_shadow_map() when handling NILFS_IOCTL_CLEAN_SEGMENTS immediately after mount before any btree operation has occurred on the DAT inode. A local user can invoke the ioctl in that state to cause a denial of service.

The issue occurs because the DAT inode's i_assoc_inode may remain uninitialized until a btree operation is performed.


234) Use-after-free (CVE-ID: CVE-2026-31576)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the hackrf driver when handling ioctl and release operations on an already-open device file after device unregistration. A local user can keep a device file descriptor open and trigger ioctl or close operations to cause a denial of service.

New open() calls are blocked after device unregistration, but already-open file descriptors and in-flight I/O remain valid until the final reference is released.


235) Race condition (CVE-ID: CVE-2026-31575)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in mfill_atomic_hugetlb() when handling userfaultfd hugetlb faults. A local user can trigger faults on different addresses within the same huge page to cause a denial of service.

The issue can corrupt the reservation map and trigger the BUG_ON in resv_map_release().


236) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31574)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the clockevents subsystem when handling clock event state changes, arming non-forced events, or processing suspend wakeup events. A local user can trigger these conditions to cause a denial of service.

The issue can lead to missed timer interrupts and resulting system stalls.


237) Use-after-free (CVE-ID: CVE-2026-31532)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.

The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.


Remediation

Install update from vendor's website.