SB2026070284 - Ubuntu update for linux
Published: July 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 300 vulnerabilities.
1) Incorrect calculation (CVE-ID: CVE-2026-46328)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of rlimit updates in AppArmor resource limit enforcement when transitioning rlimits for posix cpu timers. A local user can trigger an incorrect cpu time limit update to cause a denial of service.
The issue affects systems with posix timers enabled.
2) Out-of-bounds write (CVE-ID: CVE-2026-46289)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in extract_kvec_to_sg in lib/scatterlist.c when extracting a kvec into a scatterlist. A local user can trigger the function with crafted kvec data to cause a denial of service.
3) Use-after-free (CVE-ID: CVE-2026-46270)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to a use-after-free in the rt9455 charger driver interrupt handling path when handling interrupts during device probe or removal. A local user can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is registered, leading to use of an uninitialized handle in power_supply_changed().
4) Use-after-free (CVE-ID: CVE-2026-46267)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in llc_shdlc_deinit and SHDLC state machine work handling when tearing down the SHDLC context while timers or queued work remain active. A local user can trigger concurrent teardown and work execution to cause a denial of service.
The issue involves shutdown races where timer callbacks can schedule sm_work that accesses SHDLC state and skb queues after the context is freed.
5) Improper input validation (CVE-ID: CVE-2026-46266)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to alter forwarding and path MTU exception handling state.
The vulnerability exists due to improper input validation in RAW socket handling in the IPv4 and IPv6 ICMP error delivery paths when processing malicious incoming ICMP packets with an embedded packet header using protocol 255. A remote attacker can send a specially crafted ICMP packet to alter forwarding and path MTU exception handling state.
Exploitation requires the presence of a RAW socket created with IPPROTO_RAW.
6) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46265)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the hns_roce_irq_workq workqueue in the RDMA/hns driver when destroying queue pairs during reset handling with sunrpc and rpcrdma in use. A local user can trigger queue pair destruction to cause a denial of service.
The issue can occur when sunrpc is used and a reset is triggered.
7) NULL pointer dereference (CVE-ID: CVE-2026-46261)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in wpcm_fiu_probe() in the spi-wpcm-fiu driver when probing the device. A local attacker can trigger the vulnerable code path to cause a denial of service.
8) Out-of-bounds read (CVE-ID: CVE-2026-46260)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in fib6_add_rt2node() when handling IPv6 route creation requests with RTA_NH_ID. A local user can send a specially crafted netlink message to cause a denial of service.
The issue occurs because a route created with RTA_NH_ID may lack the trailing struct fib6_nh, leading to an invalid read during route processing.
9) Use-after-free (CVE-ID: CVE-2026-46259)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.
10) Improper resource shutdown or release (CVE-ID: CVE-2026-46255)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown in fsl_edma_remove() in the fsl-edma driver when removing the driver. A local user can trigger driver removal to cause a denial of service.
The issue results in kernel warnings because clocks are disabled and unprepared after they were already managed by automatic resource cleanup.
11) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46254)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of unaligned memory access in AppArmor dfa table unpacking in security/apparmor/match.c when parsing a crafted AppArmor dfa blob. A local user can supply a specially crafted policy blob to trigger unaligned memory access and cause a denial of service.
The issue can be triggered by dfa tables originating from userspace, and it affects architectures that fault on unaligned memory accesses.
12) Heap-based buffer overflow (CVE-ID: CVE-2026-46253)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow and an out-of-bounds read in persistent_ram_save_old() and ramoops_pstore_read() when processing persistent crash records after repeated calls for the same persistent_ram_zone. A local user can trigger a survivable crash sequence with a larger subsequent record to cause a denial of service.
Exploitation requires a prior crash record that did not fill the record size, pstore_update_ms to be enabled, and a non-fatal oops so the system continues running.
13) Out-of-bounds write (CVE-ID: CVE-2026-46251)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to list corruption in the btrfs transaction handling logic for the block group tree dirty_list when committing a transaction with EXTENT_TREE_V2 enabled. A local user can trigger filesystem operations that dirty a block group to cause a denial of service.
Only systems using btrfs with the EXTENT_TREE_V2 incompat flag set are affected.
14) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46250)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper control of a register used as a global register variable in arch/mips/kernel/relocate.c when relocating the kernel with LLVM/Clang on MIPS. A local user can trigger kernel relocation in a vulnerable environment to cause a denial of service.
The issue can cause an early kernel crash in init_idle on MIPS systems built with affected LLVM versions.
15) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46249)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the PF driver when probing after a kexec reboot before AF reinitializes the hardware. A local user can trigger a kexec reboot to cause a denial of service.
The issue occurs because hardware state can persist across kexec boots, causing the PF driver to mis-detect AF readiness and access stale hardware state.
16) Improper Initialization (CVE-ID: CVE-2026-46247)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in clk_gfx3d_determine_rate in drivers/clk/qcom/clk-rcg2.c when determining the GFX3D clock rate. A local user can trigger clock rate determination to cause a denial of service.
The issue results in a kernel crash because the parent request map does not provide the expected best_parent_hw clock.
17) Use-after-free (CVE-ID: CVE-2026-46246)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to a use-after-free in the pm8916_lbc charger IRQ handler when handling an interrupt during device removal. A local user can trigger the race condition to cause a denial of service or corrupt memory.
The issue occurs because the extcon handle can be freed before the IRQ handler is unregistered, allowing extcon_set_state_sync() to be called on a freed handle.
18) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass firewall restrictions.
The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.
The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.
19) Improper input validation (CVE-ID: CVE-2026-46243)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.
The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.
20) Integer overflow (CVE-ID: CVE-2026-46195)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer overflow in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl() when processing a server-supplied security descriptor with a crafted dacloffset value. A remote attacker can return a malicious security descriptor to trigger pointer wraparound and cause a denial of service.
The issue affects 32-bit builds and can be reached through the chmod/chown rewrite paths.
21) Out-of-bounds read (CVE-ID: CVE-2026-46185)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in symlink_data() when processing an SMB2 symlink error response. A remote attacker can send a specially crafted SMB2 response to disclose sensitive information.
The issue can occur when the response buffer is shorter than the expected SMB2 error response structure.
22) Race condition (CVE-ID: CVE-2026-46135)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.
The issue can lead to a second kref_put() being issued on an already released queue.
23) Out-of-bounds read (CVE-ID: CVE-2026-46119)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.
The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.
24) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46115)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of dev_pagemap boundaries in biovec_phys_mergeable() when coalescing physically contiguous bvec segments. A local user can trigger merging of segments from different dev_pagemaps to cause a denial of service.
The issue occurs when a bio contains bvecs from different dev_pagemaps that are physically contiguous.
25) Integer underflow (CVE-ID: CVE-2026-46043)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.
26) Improper Initialization (CVE-ID: CVE-2026-45988)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper state management in RxRPC packet processing when handling RESPONSE or CHALLENGE packets after a temporary processing failure. A remote attacker can send a sequence of crafted packets that trigger packet reprocessing to cause a denial of service.
The issue can occur when a packet is left in a partially decrypted state and then requeued for retry.
27) Use-after-free (CVE-ID: CVE-2026-45984)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in gfs2 inline data write path when handling inline data writes. A local user can trigger an inline write operation to cause a denial of service.
The issue occurs because a buffer head is released before the inline write completes, leaving a stale pointer that is later dereferenced during the write end path.
28) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45983)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in nfs4 compound request handling when processing v4 request compound arguments that trigger idmap lookup upcalls. A remote user can send a crafted NFSv4 request to cause a denial of service.
When idmap lookup upcall responses are delayed beyond the allowed time limit, the request can be dropped before the compound response is encoded, leaving the session slot marked as in use and causing subsequent client requests to fail with NFSERR_JUKEBOX.
29) NULL pointer dereference (CVE-ID: CVE-2026-45982)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in acpi_ev_address_space_dispatch() when handling address space dispatch operations. A local attacker can trigger the vulnerable code path to cause a denial of service.
30) Use-after-free (CVE-ID: CVE-2026-45981)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free or double free in css_alloc_subchannel() when handling failures from DMA mask setup. A local user can trigger the affected error path to cause a denial of service.
The issue occurs after device_initialize() has been called and the embedded device object is freed directly instead of being released through the device model reference counting mechanism.
31) NULL pointer dereference (CVE-ID: CVE-2026-45978)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in gb_lights_light_config() and the greybus lights cleanup path when handling a failed channels array allocation. A local user can trigger memory allocation failure to cause a denial of service.
32) Memory leak (CVE-ID: CVE-2026-45976)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in amdgpu_ras_init() when handling an error from amdgpu_nbio_ras_sw_init(). A local user can trigger the vulnerable initialization path to cause a denial of service.
The issue occurs because an allocated con structure is not freed before the function returns an error.
33) Out-of-bounds read (CVE-ID: CVE-2026-45974)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in btrfs_quota_enable() when processing crafted btrfs filesystem metadata. A local user can trigger quota enablement on a malformed filesystem image to cause a denial of service.
34) Race condition (CVE-ID: CVE-2026-45973)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the RDMA/mlx5 driver bond device handling when unloading the device during a firmware reset in LAG mode. A local user can trigger device teardown during this state to cause a denial of service.
The issue can cause the driver to hang indefinitely while waiting for UMR completion because completions never arrive.
35) Use-after-free (CVE-ID: CVE-2026-45972)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in smb2_open_file() when retrying SMB2_open(). A local user can trigger the retry path to cause a denial of service.
The issue can also result in a double free when @data is NULL.
36) Use-after-free (CVE-ID: CVE-2026-45970)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the rlb_arp_recv function in the bonding ALB RX path when processing ARP messages during rapid bond up/down cycles. A local user can trigger concurrent bond up/down operations while ARP traffic is being received to cause a denial of service.
The issue is triggered by a race condition between rlb_arp_recv() and rlb_deinitialize().
37) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-45969)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper exception handling in ps_gamepad_create() when triggering force feedback effects after initialization. A local user can trigger force feedback effects to cause a denial of service.
38) Out-of-bounds write (CVE-ID: CVE-2026-45968)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds index in the cpuidle ladder governor when selecting an idle state on systems with only one available idle state. A local attacker can trigger the vulnerable code path to cause a denial of service.
This issue occurs on certain platforms where cpuidle registers only a single polling idle state, which can result in a NULL enter callback being invoked and a system crash.
39) NULL pointer dereference (CVE-ID: CVE-2026-45965)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in rawdata_get_link_base in apparmorfs when resolving symbolic links to rawdata for a replaced profile after the export_binary parameter has been disabled at runtime. A local user can read a crafted rawdata symbolic link to cause a denial of service.
The issue occurs for profiles loaded before export_binary was disabled and then replaced, leaving the rawdata pointer NULL while the symbolic link remains accessible.
40) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45964)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a reference count leak in gss_alloc_msg() in the SUNRPC gss_auth handling code when processing a non-NULL service name and memory allocation fails in kstrdup_const(). A local user can trigger the error path to cause a denial of service.
The issue occurs because the gss_auth reference is not released on the err_put_pipe_version error path, which can prevent the structure from being freed.
41) Out-of-bounds read (CVE-ID: CVE-2026-45962)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ublk_ctrl_cmd_dump() when processing a submission queue entry without the IO_URING_F_SQE128 flag set. A local user can submit a crafted submission queue entry to cause a denial of service.
42) Improper update of reference count (CVE-ID: CVE-2026-45960)
CWE-ID: CWE-911 - Improper Update of Reference Count
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference count handling in hfs_bnode_create() when creating a btree node on a corrupted hfsplus filesystem. A local user can trigger node allocation for an already hashed node to cause a denial of service.
This can occur if filesystem corruption causes a node that is already in use to appear available.
43) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45957)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in rcu_read_unlock_special() when handling softirq processing during rcu_read_unlock(). A local user can trigger the affected kernel path to cause a denial of service.
Exploitation requires ftrace to be enabled.
44) Memory leak (CVE-ID: CVE-2026-45954)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in au1200fb_drv_probe() when handling platform device initialization. A local user can trigger an error path during driver probe to cause a denial of service.
45) Memory leak (CVE-ID: CVE-2026-45948)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ext4_ext_shift_extents() when shifting extents. A local user can trigger the vulnerable code path to cause a denial of service.
46) Memory leak (CVE-ID: CVE-2026-45947)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in amdgpu_acpi_enumerate_xcc() when handling an error from amdgpu_acpi_dev_init(). A local user can trigger the affected code path to cause a denial of service.
The issue occurs when amdgpu_acpi_dev_init() returns -ENOMEM.
47) Use-after-free (CVE-ID: CVE-2026-45946)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the ab8500 power supply IRQ handler when handling interrupts during device probe or removal. A local attacker can trigger a race condition involving a stale power_supply handle to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle has been initialized.
48) Improper resource shutdown or release (CVE-ID: CVE-2026-45941)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in tpm_tis_i2c_send() when handling a get_burstcount() timeout failure. A local user can trigger a timeout condition to cause a denial of service.
The issue occurs because locality is not released if get_burstcount() returns -EBUSY.
49) Use-after-free (CVE-ID: CVE-2026-45938)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in pm8916_lbc IRQ handler when handling an interrupt during device probe or removal. A local user can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is initialized during probe.
50) Use-after-free (CVE-ID: CVE-2026-45936)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the goldfish power supply driver when handling interrupts during device removal or initialization. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
An interrupt may fire after the power_supply handle has been freed or before it has been initialized.
51) Heap-based buffer overflow (CVE-ID: CVE-2026-45935)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in DeleteIndexEntryRoot in the ntfs3 filesystem code when processing a crafted log record. A local user can supply a maliciously large entry size value to trigger memory corruption and cause a denial of service.
52) Memory leak (CVE-ID: CVE-2026-45928)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in wave5_vpu_open_enc() and wave5_vpu_open_dec() when handling allocation failures for inst->codec_info. A local user can trigger the affected code path to cause a denial of service.
53) Improper input validation (CVE-ID: CVE-2026-45923)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the catc USB network driver when probing a malformed USB device with mismatched endpoint descriptors. An attacker with physical access can connect a specially crafted USB device to cause a denial of service.
The issue occurs because the driver assumes specific bulk and interrupt endpoint types for hardcoded endpoint numbers during device initialization.
54) Memory leak (CVE-ID: CVE-2026-45921)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in mtd_parser_tplink_safeloader_parse() when parsing TP-Link safeloader partition tables. A local user can trigger an allocation failure for parts[idx].name to cause a denial of service.
The issue was identified through static analysis and code review.
55) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45919)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper logic in rto_next_cpu() when handling RT load balancing on an overloaded CPU. A local user can trigger repeated self-IPIs to cause a denial of service.
The issue can lead to a CPU hardlockup when HAVE_RT_PUSH_IPI is enabled and the affected CPU remains overloaded while other CPUs run pull_rt_task().
56) Race condition (CVE-ID: CVE-2026-45917)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the IPVS destination route caching logic when handling network device shutdown events. A local user can trigger network device state changes to cause a leaked device reference and resource exhaustion, resulting in a denial of service.
57) Use-after-free (CVE-ID: CVE-2026-45916)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the sbs-battery IRQ handler when handling an interrupt during device removal. A local attacker can trigger an interrupt race to cause a denial of service or corrupt memory.
A similar race can also occur during device probe if an interrupt fires before the power_supply handle is registered, leading to use of an uninitialized handle.
58) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45915)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of link counts in vfat_rmdir() and msdos_rmdir() when processing a corrupted FAT filesystem image during directory removal. A local user can trigger directory removal on a crafted filesystem image to cause a denial of service.
59) Race condition (CVE-ID: CVE-2026-45914)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the ibmpex hwmon driver sysfs sensor handling when reading sensor files during device removal. A local user can read a sensor sysfs file during the removal sequence to cause a kernel crash.
The issue occurs because driver data may be cleared while a sysfs callback still dereferences it.
60) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45913)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the bridge multicast database handling for vlan contexts when processing multicast database flush operations after bridge and multicast snooping configuration changes. A local user can trigger inconsistent mdb entry accounting to cause a denial of service.
The issue can be triggered by creating multicast database entries on a bridge with vlan filtering enabled and then changing multicast snooping state before flushing entries.
61) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45912)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4 extent status tree handling when splitting an unwritten extent during direct I/O writes. A local user can trigger extent splitting and subsequent delayed buffer writes to cause a denial of service.
The issue can leave a stale hole extent in the extent status tree, leading to errors in space accounting.
62) Race condition (CVE-ID: CVE-2026-45910)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in QP timer handlers in the RDMA rxe subsystem when handling Queue Pair timer callbacks during Queue Pair destruction. A local user can trigger concurrent timer activity and Queue Pair teardown to cause a denial of service.
The issue can lead to a reference count underflow and use-after-free warning during timer handler execution.
63) Race condition (CVE-ID: CVE-2026-45905)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in icmp_route_lookup() reverse path handling when processing packets that trigger ICMP error generation. A local user can trigger concurrent route lookup and address changes to cause a denial of service.
The issue occurs when a route returned by ip_route_input() becomes a local route and is then used for ICMP output, leading to a WARN_ON via ip_rt_bug().
64) Improper locking (CVE-ID: CVE-2026-45904)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in EEH event handling when processing PCI error events. A local user can trigger recursive lock acquisition to cause a denial of service.
The issue can lead to deadlock in the pci_rescan_remove_lock path and disrupt normal EEH event handling.
65) Use-after-free (CVE-ID: CVE-2026-45902)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to a use-after-free in power_supply_changed() in the bq256xx power supply driver when handling interrupts during device probe or removal. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is initialized.
66) Deadlock (CVE-ID: CVE-2026-45895)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a livelock condition in quotactl_block() when waiting for a frozen filesystem to thaw. A local user can repeatedly toggle quota operations during filesystem freeze activity to cause a denial of service.
The issue is reliably triggered on non-preemptible kernels when the freezer and quota operations run on the same CPU.
67) Improper input validation (CVE-ID: CVE-2026-45893)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of unaligned memory access in AppArmor table creation when processing user-supplied source blobs. A local user can provide a specially crafted unaligned blob to cause a denial of service.
The source blob may originate from userspace.
68) Double free (CVE-ID: CVE-2026-45891)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in hns3_set_ringparam() and the ring cleanup path when handling ring reconfiguration after a memory allocation failure. A local user can trigger ring parameter changes that lead to a failed ring initialization to cause a denial of service.
The issue is caused by a stale dangling pointer in the tx_spare field that is mistaken for a newly allocated buffer during error cleanup.
69) Improper input validation (CVE-ID: CVE-2026-45890)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the xen-netback backend connect() function when processing the guest-controlled xenbus key "multi-queue-num-queues". A remote user can write a zero queue count to trigger a host panic to cause a denial of service.
Impact on the host occurs on systems configured with panic_on_warn=1.
70) Improper access control (CVE-ID: CVE-2026-45886)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bpf_xdp_store_bytes helper prototype when verifying BPF programs that use read-only map values. A local user can load a crafted BPF program to cause a denial of service.
The issue is triggered when the third helper argument points to a value from a BPF_F_RDONLY_PROG map.
71) Use-after-free (CVE-ID: CVE-2026-45885)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the cpcap-battery IRQ handler when handling an interrupt during device removal or probe. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is registered, leading to use of an uninitialized handle in power_supply_changed().
72) Integer underflow (CVE-ID: CVE-2026-45884)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer underflow in aa_get_buffer() when pulling buffers from the per-cpu list. A local user can trigger repeated buffer operations to cause a denial of service.
The issue can starve other CPUs of cached buffers and force repeated kmalloc(aa_g_path_max) allocations.
73) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45883)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a resource leak in sca3000_probe() when handling device initialization failures. A local user can trigger initialization that causes iio_device_register() to fail to cause a denial of service.
74) Use-after-free (CVE-ID: CVE-2026-45882)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to a use-after-free in the pm8916_bms_vm driver power_supply handling when handling an interrupt during device removal or probe. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle has been registered, leading to use of an uninitialized handle.
75) Memory leak (CVE-ID: CVE-2026-45881)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in svs_enable_debug_write() when parsing user-supplied input. A local user can provide malformed input that causes kstrtoint() to fail to cause a denial of service.
76) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45880)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper release of a resource in p2pmem_alloc_mmap() when vm_insert_page() fails. A local user can trigger a vm_insert_page() failure during mmap handling to cause a denial of service.
The issue can cause memunmap_pages() to hang indefinitely when the PCI device is removed.
77) Use-after-free (CVE-ID: CVE-2026-45879)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the bq25980 power supply driver when handling interrupts during device removal or probe. A local user can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle has been registered, leading to use of an uninitialized handle in power_supply_changed().
78) Out-of-bounds write (CVE-ID: CVE-2026-45878)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in the debug address watch handling in drm/amdkfd when processing a crafted watch_id value from userspace. A local user can supply a watch_id larger than INT_MAX to trigger memory access outside the watch_points array and cause a denial of service.
The issue is triggered by integer sign conversion of an unsigned watch_id to a signed value, which can also lead to invalid shift operations.
79) NULL pointer dereference (CVE-ID: CVE-2026-45877)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in ishtp_bus_remove_all_clients when handling a warm reset while clients are still being enumerated. A local user can trigger the affected reset flow to cause a denial of service.
The issue can lead to a kernel panic in the workqueue context during warm reboot stress conditions.
80) Improper resource shutdown or release (CVE-ID: CVE-2026-45875)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown in wm5102_clear_write_sequencer() error handling when processing a failure path. A local user can trigger an error condition to cause a denial of service.
The issue can leave regulators enabled because the cleanup sequence is bypassed on error.
81) Improper input validation (CVE-ID: CVE-2026-45873)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in nft_set_rbtree anonymous sets when processing interval elements. A local user can add overlapping interval start elements to trigger erroneous overlap handling and cause a denial of service.
The issue occurs when adjacent intervals are represented in the optimized userspace format that omits end elements.
82) Memory leak (CVE-ID: CVE-2026-45872)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in pqi_report_phys_luns() when handling unsupported data formats or allocation failures. A local user can trigger the vulnerable error paths to cause a denial of service.
83) Improper resource shutdown or release (CVE-ID: CVE-2026-45871)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in st33zp24_send() in the st33zp24 TPM driver when handling a get_burstcount() timeout error. A local user can trigger the error condition to cause a denial of service.
The issue occurs because locality acquired earlier is not released when get_burstcount() returns -EBUSY on timeout.
84) Improper resource shutdown or release (CVE-ID: CVE-2026-45870)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the SUNRPC auth_gss XDR decoding functions when decoding GSSX context, status, or name data. A local user can trigger a decoding failure after memory has been allocated to cause a denial of service.
The issue occurs on error paths where previously allocated buffers remain unreferenced if a subsequent decode step fails.
85) NULL pointer dereference (CVE-ID: CVE-2026-45869)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in power_supply_changed() when handling an interrupt before the power_supply handle is allocated and registered. A local user can trigger the vulnerable race condition to cause a denial of service.
The issue is triggered during device probe if an interrupt fires before power_supply registration completes.
86) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45868)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a reference count leak in pcs_add_gpio_func() when parsing phandle arguments. A local user can trigger repeated processing of crafted device tree data to cause a denial of service.
87) Use-after-free (CVE-ID: CVE-2026-45867)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to use-after-free in the act8945a power supply IRQ handler when handling an interrupt during device probe or removal. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is registered, leading to use of an uninitialized handle.
88) Use-after-free (CVE-ID: CVE-2026-45866)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the caif_serial line discipline close handler and transmit path when processing packet transmission during line discipline shutdown. A local user can send crafted packets during the race window to cause a denial of service.
The issue is triggered by a race condition between ldisc_close() and packet transmission in handle_tx().
89) Use of Uninitialized Variable (CVE-ID: CVE-2026-45865)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to use of uninitialized memory in the mctp i2c event handler read path when handling i2c read requests to an mctp-i2c device. A local user can issue crafted i2c read operations to disclose sensitive information.
The issue was observed with certain i2c bus drivers returning a stack uninitialized byte value during reads.
90) Improper input validation (CVE-ID: CVE-2026-45864)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ntfs3 file write handling logic when processing valid values during file write operations. A local user can trigger the condition with a crafted write operation to cause a denial of service.
The issue can result in an infinite loop and a hung task condition.
91) Improper Initialization (CVE-ID: CVE-2026-45862)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the PASID table handling in the Intel VT-d IOMMU subsystem when using a freshly allocated PASID table before its cache flush completes. A local user can trigger use of the PASID table with stale memory contents to cause a denial of service.
The issue affects systems with non-coherent IOMMU hardware.
92) Use-after-free (CVE-ID: CVE-2026-45861)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in qd_put and the gfs2 quota data LRU handling when shutting down the filesystem and the shrinker scans quota data objects. A local user can trigger filesystem shutdown to cause a denial of service.
93) Resource exhaustion (CVE-ID: CVE-2026-45860)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in nf_conncount when tracking a high rate of new connections within the same jiffy. A remote attacker can send a large number of connection attempts to cause a denial of service.
The issue can be triggered in environments using nft_connlimit, xt_connlimit, or OVS limit configuration.
94) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45859)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper state handling in nfnetlink_queue when processing UDP GSO packets with an unconfirmed nf_conn entry. A remote attacker can send specially crafted network traffic to cause a denial of service.
The issue occurs when an application has not enabled the F_GSO capability flag.
95) NULL pointer dereference (CVE-ID: CVE-2026-45857)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the csiostor driver error exit path when handling a NULL rn value. A local user can trigger the vulnerable error path to cause a denial of service.
96) Out-of-bounds read (CVE-ID: CVE-2026-45856)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ib_uverbs_post_send() when processing a user-supplied wqe_size value. A local user can provide a crafted small wqe_size value to disclose sensitive information.
An excessively large wqe_size value can also trigger a warning in the memory allocation path.
97) Double free (CVE-ID: CVE-2026-45852)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in rxe_srq_from_init in the RDMA rxe subsystem when handling a failed copy_to_user operation during SRQ creation. A local user can trigger an error path to cause a denial of service.
98) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-45851)
CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory reservation in reserve_unaccepted() when handling an unaccepted memory table with an unaligned starting physical address. A local user can trigger the vulnerable code path to cause a denial of service.
The issue was observed when starting Intel TDX virtual machines with specific memory sizes, such as systems with more than 64 GB of memory.
99) Improper locking (CVE-ID: CVE-2026-45849)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in ocelot_port_xmit_inj() when transmitting frames through the register injection path. A local user can trigger the vulnerable code path to cause a denial of service.
The FDMA path is not affected because it uses a different locking mechanism.
100) NULL pointer dereference (CVE-ID: CVE-2026-45848)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in aa_sock_file_perm when handling socket setup or teardown. A local user can trigger the vulnerable code path to cause a denial of service.
The issue is reachable for older af_unix mediation and other socket types.
101) Reachable assertion (CVE-ID: CVE-2026-45847)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of an assertion in the forward path array when processing a sufficiently long forward path. A local user can configure networking state to build a sufficiently long forward path to cause a denial of service.
Recent support for IPIP tunnels increases the likelihood of reaching the vulnerable condition.
102) Out-of-bounds write (CVE-ID: CVE-2026-43501)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in ipv6_rpl_srh_rcv() and skb_mac_header_rebuild() when processing a crafted IPv6 packet with a recompressed type-3 source routing header. A local user can send a specially crafted raw IPv6 packet to trigger an out-of-bounds write and cause a denial of service.
Exploitation requires the ability to send an AF_INET6 SOCK_RAW packet with IPV6_HDRINCL over the loopback interface.
103) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43493)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of error conditions in the pcrypt crypto subsystem when processing MAY_BACKLOG requests. A local user can trigger requests that return EBUSY to cause a denial of service.
104) Double free (CVE-ID: CVE-2026-43414)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in qla24xx_els_dcmd_iocb() error handling when releasing fcport references. A local user can trigger an error condition to cause a denial of service.
105) Integer overflow (CVE-ID: CVE-2026-43407)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an integer overflow leading to an out-of-bounds read in ceph_handle_auth_reply() when processing a CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted CEPH_MSG_AUTH_REPLY message to disclose sensitive information.
106) Out-of-bounds read (CVE-ID: CVE-2026-43406)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in process_message_header() when processing a maliciously corrupted message frame. A remote attacker can send a specially crafted message frame to disclose sensitive information.
The issue can be triggered if the control segment length is smaller than the message header size or if a different frame is made to appear as a message frame.
107) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43384)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass message authentication.
The vulnerability exists due to observable timing differences in MAC comparison in tcp-ao when verifying authentication codes. A remote attacker can measure response timing during crafted network interactions to bypass message authentication.
108) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43383)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable timing differences in tcp-md5 MAC comparison when verifying TCP MD5 signatures. A remote attacker can measure response timing during crafted network interactions to disclose sensitive information.
109) Use-after-free (CVE-ID: CVE-2026-43378)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to use-after-free in smb2_open() when handling SMB open requests. A local user can trigger a race condition involving a dangling opinfo pointer to execute arbitrary code.
110) Integer overflow (CVE-ID: CVE-2026-43341)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in ioam6_fill_trace_data() when processing IPv6 IOAM trace data with bit 22 enabled and a maximal schema payload. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs because the schema length can wrap from 256 to 0, bypassing the remaining-space check and leading to a trace buffer overrun.
111) NULL pointer dereference (CVE-ID: CVE-2026-43320)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a missing function hook check in drm/amd/display when handling eDP DSC functionality. A local user can trigger the vulnerable code path to cause a denial of service.
112) Improper locking (CVE-ID: CVE-2026-43319)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the spidev driver when handling concurrent write and ioctl operations on the same spidev file descriptor. A local user can perform write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads to cause a denial of service.
The issue is triggered by an AB-BA locking pattern involving spi_lock and buf_lock.
113) Race condition (CVE-ID: CVE-2026-43318)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in amdgpu_dma_buf_move_notify when handling dma-buf move notifications for shared buffer objects. A local user can trigger a buffer move while another GPU job is still running to cause a denial of service.
The issue can occur in multi-GPU environments using shared buffer objects where a page table update happens before the originating blit job has completed, leading to a likely page fault.
114) Improper resource shutdown or release (CVE-ID: CVE-2026-43317)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the most core interface registration logic when handling early registration failures. A local user can trigger an interface registration failure to cause a denial of service.
115) Integer overflow (CVE-ID: CVE-2026-43316)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds shift in solo6x10 chip_id handling when processing a crafted chip_id value. A local user can trigger the vulnerable code path to cause a denial of service.
116) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43315)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a user-triggerable warning in nested_svm_load_cr3() and svm_set_nested_state() in KVM nSVM when restoring nested vCPU state after modifying CPUID and CR3 values from userspace. A local user can supply an illegal combination of nested state, CPUID, and CR3 values to trigger a kernel warning and cause a denial of service.
The issue is reachable through the KVM userspace ABI during nested virtualization state restoration.
117) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43314)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper timeout handling in the dm driver when processing an injected io-timeout-fail condition on a device-mapper device. A local user can inject a fake timeout and perform read or write operations to cause a denial of service.
Exploitation can leak a request so it is never completed, causing tasks to hang indefinitely.
118) NULL pointer dereference (CVE-ID: CVE-2026-43313)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null-pointer dereference in acpi_processor_errata_piix4() when processing PCI device lookups. A local user can trigger the vulnerable code path to cause a denial of service.
119) NULL pointer dereference (CVE-ID: CVE-2026-43312)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the ov5647 driver control initialization path when handling a device probe error condition. A local user can trigger the vulnerable error path to cause a denial of service.
The issue occurs because subdevice data may be accessed before it is initialized.
120) Improper input validation (CVE-ID: CVE-2026-43304)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in process_auth_done() when decoding ceph authentication keys. A remote attacker can send a crafted key with excessive key material to cause a denial of service.
121) Improper Initialization (CVE-ID: CVE-2026-43302)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the v3d DRM driver DMA mapping configuration when creating V3D buffer objects through ioctl handling. A local user can issue crafted V3D buffer creation requests to cause a denial of service.
The issue is observable when DMA API debugging is enabled.
122) NULL pointer dereference (CVE-ID: CVE-2026-43300)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null-pointer dereference in jdi_panel_dsi_remove() when removing the JDI panel device. A local user can trigger the removal path to cause a denial of service.
123) NULL pointer dereference (CVE-ID: CVE-2026-43297)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of error pointers in rga_buf_init() when initializing buffers with an unsupported or invalid buffer type. A local user can trigger the use of an invalid buffer type to cause a denial of service.
124) Deadlock (CVE-ID: CVE-2026-43296)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a hardware-induced deadlock condition in the octeontx2-af NIX SQ manager and PSE handling logic when multiple send queues share an SMQ and transmit concurrently or when sticky and non-sticky transmissions transition. A local user can trigger concurrent transmissions to cause a denial of service.
The issue can also manifest as loss of forward progress under load with credit loss.
125) Expired pointer dereference (CVE-ID: CVE-2026-43295)
CWE-ID: CWE-825 - Expired pointer dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a dangling pointer in rio_scan_alloc_net() when handling idtab allocation failures. A local user can trigger the vulnerable error path to cause a denial of service.
126) Improper input validation (CVE-ID: CVE-2026-43291)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the nci packet data validation logic when processing variable-length packet data. A local user can provide a crafted packet with a variable length to cause a denial of service.
The issue occurs in cases where packet data is variable-length and cannot be safely compared against the maximum packet length derived from the structure size.
127) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43289)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of overlapping executable sections in kexec_load_purgatory() when loading a purgatory object. A local user can supply a purgatory object with multiple executable sections that overlap in sh_addr to cause a denial of service.
The issue can trigger a kernel WARN during kexec_file_load.
128) Improper Initialization (CVE-ID: CVE-2026-43288)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in ext4 per-CPU counter handling when mounting a crafted ext4 filesystem with quota and project features enabled. A local user can mount a specially crafted filesystem image to cause a denial of service.
The issue is triggered when block bitmap validation fails during filesystem mount.
129) Resource exhaustion (CVE-ID: CVE-2026-43287)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in DRM_IOCTL_MODE_CREATEPROPBLOB when allocating arbitrary-sized property blobs backed by kernel memory. A local user can create property blobs to cause a denial of service.
The issue can lead to unbounded kernel memory consumption and potentially system-wide out-of-memory conditions.
130) Improper resource shutdown or release (CVE-ID: CVE-2026-43283)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in dma_free_coherent() in the ec_bhf ethernet driver when handling an error path during buffer cleanup. A local user can trigger the error path to cause a denial of service.
131) Out-of-bounds write (CVE-ID: CVE-2026-43279)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in prepare_silent_urb() when silencing playback URB packets in implicit feedback mode before actual playback. A local user can trigger inconsistent capture and playback stream packet sizing to cause a denial of service.
The issue can occur when the capture stream setup differs from the playback stream setup, such as due to USB core maximum packet size limitations.
132) Double free (CVE-ID: CVE-2026-43278)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in request-based device-mapper targets when handling completion and teardown of cloned request bios. A local user can trigger request processing that causes the same cloned bios to be freed twice to cause a denial of service.
One observed case involves dm-multipath on top of a PCIe NVMe namespace, where the cloned bios are first freed during request completion and later freed again during clone teardown.
133) Out-of-bounds read (CVE-ID: CVE-2026-43277)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ghes_new() and CPER error record handling when processing firmware-supplied CPER data. An attacker with physical access can provide a malformed CPER record with a length larger than the allocated buffer to cause a denial of service.
The issue can be triggered by bad firmware supplying inconsistent CPER record size information.
134) Race condition (CVE-ID: CVE-2026-43275)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the ufs core driver exception event handling work when suspending the system with the runtime power management level set to UFS_PM_LVL_0. A local user can trigger suspend while exception handling work is pending to cause a denial of service.
The issue occurs because the device power mode and link state remain active at this power management level, allowing exception handling to access the host controller after the system has entered a deep power-down state.
135) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43273)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause data inconsistencies in snapshots.
The vulnerability exists due to improper context handling in ceph_zero_partial_object() when performing OSD write operations for partial object zeroing. A local user can modify a file and access its snapshot to cause data inconsistencies in snapshots.
Exploitation requires access to a CephFS mount and interaction with snapshot functionality.
136) NULL pointer dereference (CVE-ID: CVE-2026-43271)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in process_metadata_update() when handling a METADATA_UPDATED message from a remote node during MD array startup. A remote attacker can send a crafted metadata update message to cause a denial of service.
The issue can be triggered during a race condition window before the main MD thread is initialized.
137) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-43270)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper release of a resource in mtk_mdp_remove() when removing the media mtk-mdp device. A local user can trigger device probe and removal operations to cause a denial of service.
138) Memory leak (CVE-ID: CVE-2026-43269)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in the atomic_destroy_state callback in drm/atmel-hlcdc when handling atomic display state cleanup. A local user can trigger repeated graphics operations to cause a denial of service.
The issue may be observed only after prolonged usage of a graphics application.
139) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-43268)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of special inode types in hfsplus when opening special inodes. A local user can access a specially crafted hfsplus filesystem entry to cause a denial of service.
140) Out-of-bounds read (CVE-ID: CVE-2026-43266)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the GHES/CPER ARM processor CPER record parser when processing a firmware-generated ARM processor CPER record with an oversized section length. A local attacker can provide a crafted CPER record to disclose sensitive information.
The issue can cause the kernel to dump data beyond the firmware memory-mapped area.
141) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-43264)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a refcount leak in of_get_display_timings() when handling device tree display timing data. A local user can trigger the vulnerable error path to cause a denial of service.
142) Improper locking (CVE-ID: CVE-2026-43262)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in gfs2_fiemap() when processing fiemap requests on a memory-mapped fiemap buffer associated with the same inode. A local user can trigger a page fault that leads to recursive glock taking to cause a denial of service.
143) Observable discrepancy (CVE-ID: CVE-2026-43261)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancy in branch prediction on TSV110 arm64 processors when executing code that influences branch history. A local attacker can perform a Spectre-BHB side-channel attack to disclose sensitive information.
The issue is specific to TSV110 processors.
144) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43258)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper TLB invalidation in memory compaction and page migration handling when migrating pages during memory compaction. A local user can trigger memory compaction activity to cause a denial of service.
The issue can result in sporadic user-space crashes and heap corruption on Alpha systems when memory compaction is enabled.
145) Improper resource shutdown or release (CVE-ID: CVE-2026-43257)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in snd_cx88_hw_params() when handling hardware parameter setup error paths. A local user can trigger an error condition to cause a denial of service.
146) Out-of-bounds read (CVE-ID: CVE-2026-43256)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in vfe_isr_reg_update() when handling interrupt processing. A local user can trigger the vulnerable code path to cause a denial of service.
147) Race condition (CVE-ID: CVE-2026-43255)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in usb_tx_block when submitting a USB request block during rapid firmware loading. A local user can trigger repeated transmission requests to cause a denial of service.
148) Improper locking (CVE-ID: CVE-2026-43253)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in iommu_completion_wait() when waiting for command completion with iommu.strict=1 under stressed conditions. A local user can trigger IOMMU activity that causes the kernel to busy-wait under a spinlock with interrupts disabled to cause a denial of service.
The issue can result in soft lockups because wait_on_sem() polls a hardware-updated semaphore while the spinlock is held.
149) Improper input validation (CVE-ID: CVE-2026-43251)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the prodikeys HID driver when processing a forged USB report descriptor from a fake device. An attacker with physical access can connect a crafted USB device to trigger a kernel crash and cause a denial of service.
The issue occurs because the input_mapping() hook may not be called, leaving pm->input_ep82 unset.
150) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43250)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to improper resource cleanup in _ep_nuke() in the ChipIdea UDC driver when handling a disconnect during a multi-segment DMA transfer. A local user can trigger a disconnect and reuse a request with stale DMA state to cause memory corruption.
The issue occurs when a request is returned with status -ESHUTDOWN while its num_mapped_sgs field and scatter-gather pointer still retain stale values.
151) Double free (CVE-ID: CVE-2026-43249)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in xen_9pfs_front_free when handling concurrent back-end change notifications. A local user can trigger concurrent back-end change notifications to cause a denial of service.
The issue can be triggered by a race involving the xenwatch thread and other back-end change notifications.
152) Out-of-bounds write (CVE-ID: CVE-2026-43248)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in vdpa_sim when assigning an ASID to a group. A local user can assign a valid ASID to a group equal to ngroups to cause a denial of service.
153) Memory leak (CVE-ID: CVE-2026-43246)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in tw9906_probe() when handling an error path after initializing V4L2 controls. A local user can trigger the vulnerable error condition to cause a denial of service.
154) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43244)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper cleanup of an empty skb in the kcm_sendmsg()/kcm_write_msgs() message handling path when processing a partial sendmsg error followed by message completion. A local user can trigger a copy failure after a new frag_list skb is linked and then complete the message with a zero-length write to cause a kernel warning.
The issue occurs for SOCK_SEQPACKET sockets when partial data has already been copied and the message is later completed.
155) Memory leak (CVE-ID: CVE-2026-43242)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in k3-socinfo probe handling when probing the driver. A local user can trigger repeated probe failures to cause a denial of service.
The issue can be triggered on probe failure conditions such as probe deferral or driver unbind.
156) Out-of-bounds read (CVE-ID: CVE-2026-43241)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the ntb_hw_switchtec driver when handling NTB configurations with an invalid memory window index. A local user can trigger access to an invalid mw_sizes array index to cause a denial of service.
The issue occurs because the number of memory window lookup table entries depends on the NTB configuration and may be set to MAX_MWS.
157) Race condition (CVE-ID: CVE-2026-43239)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in smb client query_interfaces() when concurrently updating interfaces. A local user can trigger concurrent interface query work to cause a denial of service.
158) Division by zero (CVE-ID: CVE-2026-43238)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide-by-zero error in tcf_skbedit_hash() when processing skbedit hash-based tx queue selection with a queue mapping range covering all possible u16 queue IDs. A local user can configure a crafted queue mapping range to cause a denial of service.
159) Use-after-free (CVE-ID: CVE-2026-43236)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in atmel_hlcdc_plane_atomic_duplicate_state() when handling drm atomic commit operations after duplicating plane state. A local user can close and re-open the device node while another DRM client is still attached to cause a denial of service.
It can be triggered in a scenario where another DRM client such as fbdev remains attached.
160) Out-of-bounds read (CVE-ID: CVE-2026-43233)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_choice() in nf_conntrack_h323 when processing a crafted Q.931 SETUP message containing a User-User Information Element with PER-encoded data. A remote attacker can send a specially crafted network message to disclose sensitive information.
Exploitation requires the nf_conntrack_h323 helper to be active and can be triggered via port 1720.
161) Use-after-free (CVE-ID: CVE-2026-43232)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the FarSync WAN driver tasklet handlers when detaching a FarSync T-series card while scheduled tasklets are still running or pending. A local user can trigger device removal during tasklet processing to cause a denial of service.
The issue is caused by a race condition between cleanup in fst_remove_one() and the fst_tx_task or fst_int_task tasklets accessing fst_card_info in fst_process_tx_work_q() or fst_process_int_work_q().
162) Memory leak (CVE-ID: CVE-2026-43231)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in usb_keene_probe() when handling device initialization errors after registering v4l2 controls. A local user can trigger a failure in v4l2_device_register() or video_register_device() to cause a denial of service.
163) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43230)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the reconnect worker handling in net/rds when canceling the reconnect worker before it is scheduled. A local user can trigger cancellation of the reconnect worker in that state to cause a denial of service.
The reconnect-pending bit may remain set indefinitely if the worker is canceled before being scheduled.
164) Improper locking (CVE-ID: CVE-2026-43227)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in the sh_tmu clocksource driver when managing power state and clocks during clockevent operations. A local user can trigger clockevent activity to cause a denial of service.
This issue is relevant on PREEMPT_RT builds, where normal spinlocks can sleep and the lock context mismatch may become problematic.
165) Race condition (CVE-ID: CVE-2026-43226)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the RDS/TCP connection handling code when processing connection state transitions. A local user can trigger unexpected state transitions to cause a denial of service.
The issue can leave the shutdown work flag set indefinitely after the connection reaches an invalid state.
166) Memory leak (CVE-ID: CVE-2026-43225)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in the rtl8723bs staging driver when handling a failure return from cfg80211_inform_bss_frame(). A local user can trigger the affected code path to cause a denial of service.
167) Improper resource shutdown or release (CVE-ID: CVE-2026-43223)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in pvr2_send_request_ex() when submitting USB request blocks. A local user can trigger a failure after a write URB has been submitted but before the corresponding read URB is submitted to cause a denial of service.
The issue is triggered when read URB submission fails while the write URB remains active and is later reused.
168) Out-of-bounds write (CVE-ID: CVE-2026-43222)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in the AV1 tile info buffer when processing AV1 tile information. A local user can trigger processing of crafted AV1 content to cause a denial of service.
169) Use of Uninitialized Variable (CVE-ID: CVE-2026-43221)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to use of uninitialized memory in the ipmi ipmb event handler when handling i2c read operations. A local user can trigger an i2c read to disclose sensitive information.
170) Memory leak (CVE-ID: CVE-2026-43218)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in tw9903_probe() when handling an error path after initializing V4L2 control handlers. A local user can trigger the vulnerable error condition to cause a denial of service.
171) Improper locking (CVE-ID: CVE-2026-43215)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in tcon fields when accessing connection data. A local user can trigger concurrent operations to cause a denial of service.
172) Race condition (CVE-ID: CVE-2026-43214)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in __get_sregs2() when reading PDPTR registers during ioctl handling. A local user can issue a crafted ioctl request to cause a denial of service.
The issue is triggered when reading PDPTRs causes access to guest memory through memslot lookups without the required SRCU read-side protection.
173) Improper input validation (CVE-ID: CVE-2026-43212)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in cpumask_of_node() when handling a NUMA_NO_NODE index. A local user can trigger the vulnerable code path to cause a denial of service.
The issue affects the LoongArch architecture-specific implementation.
174) Improper locking (CVE-ID: CVE-2026-43211)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in pci_slot_trylock() when handling a pci_bus_trylock() failure path. A local user can trigger the affected code path to cause a denial of service.
The issue can result in unlocking a lock that is not held or incorrectly unlocking a lock owned by another thread.
175) Improper input validation (CVE-ID: CVE-2026-43209)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in minix_check_superblock() when mounting a crafted minix filesystem image. A local user can supply a malformed filesystem image with invalid superblock fields to cause a denial of service.
176) NULL pointer dereference (CVE-ID: CVE-2026-43207)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the mtk-mdp probe function when handling a failed return from vpu_get_plat_device(). A local user can trigger the vulnerable code path to cause a denial of service.
177) Out-of-bounds write (CVE-ID: CVE-2026-43206)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to an out-of-bounds write in kfd_event_page_set() when processing a user-supplied buffer size parameter. A local user can pass a small buffer to trigger an out-of-bounds kernel memory write to escalate privileges.
178) Out-of-bounds write (CVE-ID: CVE-2026-43205)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in dpaa2_switch_fdb_get_flood_cfg() when processing firmware-reported switch interface attributes. A local user can provide a crafted firmware-reported num_ifs value to cause a denial of service.
The issue can also occur when num_ifs equals the maximum interface count and all ports match the flood filter, causing the control interface entry to overflow the fixed-size array by one slot.
179) Use-after-free (CVE-ID: CVE-2026-43203)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in fore200e tx_tasklet and rx_tasklet handlers when handling tasklets during device removal. A local attacker can trigger a race condition involving device detachment and pending or running tasklets to cause a denial of service.
The issue occurs when a PCA-200E or SBA-200E adapter is being detached.
180) Memory leak (CVE-ID: CVE-2026-43202)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in vt8500lcdfb when handling an error path after allocating a framebuffer with dma_alloc_coherent(). A local user can trigger the error condition to cause a denial of service.
181) Out-of-bounds read (CVE-ID: CVE-2026-43201)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in log_arm_hw_error when processing malformed ARM processor error records. A local attacker can provide a very small or incomplete error record to trigger a kernel OOPS and cause a denial of service.
182) Function Call with Incorrectly Specified Arguments (CVE-ID: CVE-2026-43200)
CWE-ID: CWE-628 - Function Call with Incorrectly Specified Arguments
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of callback parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() when processing configfs unlink operations. A local user can issue an unlink command in configfs to cause a denial of service.
183) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43199)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in mlx5e_ipsec_init_macs() when handling IPsec MAC address query events. A local user can trigger the affected workqueue path to cause a denial of service.
The issue is triggered because a sleeping hardware query is invoked from atomic context, leading to a kernel "scheduling while atomic" bug.
184) Double free (CVE-ID: CVE-2026-43196)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in pruss_clk_mux_setup() when handling an error path during clock mux setup. A local user can trigger the vulnerable error path to cause a denial of service.
185) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43194)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of transmit error return codes in tcp_write_xmit() when processing GSO frames on qdisc-less network devices. A local user can trigger packet drops on a veth-based setup to cause a denial of service.
The issue occurs in configurations using qdisc-less devices, such as veth with TSO disabled and NAPI enabled, where loss of a single segment in a GSO super frame can be treated as loss of the entire frame and leave a TCP connection stuck.
186) Out-of-bounds read (CVE-ID: CVE-2026-43190)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.
187) NULL pointer dereference (CVE-ID: CVE-2026-43189)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the v4l2 asynchronous sub-device matching logic when handling error paths after finding a matching fwnode. A local user can trigger a failure during sub-device registration or notification handling to cause a denial of service.
188) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43187)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper state management in the XFS extended attribute leaf freemap handling code when processing setxattr operations. A local user can set extended attributes in a way that causes xattr namevalue entries to be allocated on top of the entries array to cause data loss.
The issue involves zero-length freemap entries with a nonzero base and can lead to overlapping freemap entries with the same base but different sizes.
189) Heap-based buffer overflow (CVE-ID: CVE-2026-43186)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in __ioam6_fill_trace_data() when processing a crafted incoming IPv6 IOAM packet on the receive path. A remote attacker can send a specially crafted packet to cause a denial of service.
A packet with an inconsistent nodelen field and type bits can trigger an out-of-bounds write of about 100 bytes into adjacent heap memory.
190) Improper Initialization (CVE-ID: CVE-2026-43184)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper initialization in rnbd-srv response buffer handling when exchanging response messages between different protocol versions. A remote attacker can trigger communication using mismatched protocol versions to disclose sensitive information.
The issue arises because stray bytes in the response buffer may be picked up by the client side.
191) Improper resource shutdown or release (CVE-ID: CVE-2026-43183)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in cx25821_dev_setup() when handling a failed ioremap() operation after acquiring a memory region. A local user can trigger the vulnerable code path to cause a denial of service.
192) Division by zero (CVE-ID: CVE-2026-43182)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ccs driver scaler configuration logic when calculating the maximum M value using the MIN_X_OUTPUT_SIZE limit register value. A local user can trigger the vulnerable calculation to cause a denial of service.
193) Race condition (CVE-ID: CVE-2026-43180)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double submission of an active URB in kaweth_set_rx_mode when handling rx mode changes during transmission. A local user can trigger network interface state changes to cause a denial of service.
The issue is caused by premature transmission queue wake-up while tx_urb is still in flight, which triggers the warning "URB submitted while active".
194) Out-of-bounds write (CVE-ID: CVE-2026-43175)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in the rs9 clock driver when registering clock hardware pointers for the 9FGV0841 chip. A local user can trigger the vulnerable driver path to cause a denial of service.
Memory corruption may affect adjacent members of struct rs9_driver_data, and the kernel is reported to crash when the driver is unbound or during suspend.
195) NULL pointer dereference (CVE-ID: CVE-2026-43173)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in ixp4xx_get_ts_info() when handling ethtool timestamp information requests. A local user can invoke the affected ioctl path to cause a denial of service.
The issue occurs on systems where the driver calls ixp46x_ptp_find() without properly verifying PTP support.
196) Integer underflow (CVE-ID: CVE-2026-43171)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or trigger a kernel oops.
The vulnerability exists due to an integer underflow in cper_print_fw_err() when processing a malformed firmware error record with an offset beyond the actual record length. A local user can provide a crafted error record to disclose sensitive information, cause a denial of service, or trigger a kernel oops.
The issue occurs on systems with bad or malformed firmware error records.
197) Improper synchronization (CVE-ID: CVE-2026-43170)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper execution in atomic context in dwc3_gadget_vbus_draw() when invoking power-supply-core APIs. A local user can trigger USB gadget operations to cause a denial of service.
The issue can lead to a kernel panic because some PMIC operations may sleep.
198) Improper input validation (CVE-ID: CVE-2026-43169)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in drm/buddy allocation handling when processing allocation requests with a rounded size that exceeds the available memory manager size. A local user can submit a crafted allocation request to cause a denial of service.
The issue is triggered when size rounding for contiguous, non-contiguous, or large min_block_size allocations produces a value larger than mm->size, leading to a BUG_ON condition.
199) Improper handling of exceptional conditions (CVE-ID: CVE-2026-43168)
CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper cleanup logic in the ocfs2 reflink xattr entry cleanup code when handling preserved xattr entries. A local user can trigger the flawed cleanup path to cause a denial of service.
200) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-43167)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in xfrm device event handling when processing NETDEV_UNREGISTER events for xfrm offload state. A local user can create xfrm state associated with a network device and then unregister the device to cause a denial of service.
The issue results in a leaked reference to struct net_device through struct xfrm_state, which can prevent the device from being freed.
201) Use-after-free (CVE-ID: CVE-2026-43163)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free race in write_page() when resizing an array while bitmap daemon work is iterating over bitmap->storage.filemap. A local user can trigger concurrent bitmap update and resize operations to cause a denial of service.
The issue occurs because the md thread can continue running during quiesce(), allowing concurrent access to freed pages.
202) NULL pointer dereference (CVE-ID: CVE-2026-43159)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in find_network when freeing network data. A local user can trigger the vulnerable code path to cause a denial of service.
203) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.
The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.
204) Memory leak (CVE-ID: CVE-2026-43157)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in cgx_lmac_exit() when unbinding and rebinding the driver. A local user can repeatedly unbind and rebind the driver to cause a denial of service.
The issue involves the rx_fc_pfvf_bmap and tx_fc_pfvf_bmap bitmaps allocated by cgx_lmac_init() and left unfreed during teardown.
205) Improper input validation (CVE-ID: CVE-2026-43156)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in pegasus_probe() when probing a malformed USB device with mismatched endpoint descriptors. An attacker with physical access can connect a specially crafted USB device to cause a denial of service.
The issue is triggered because the driver assumes fixed endpoint numbers and transfer types for RX, TX, and status interrupt URBs.
206) Use-after-free (CVE-ID: CVE-2026-43153)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfs_attr_leaf_hasname when handling attribute leaf lookups after read or lookup errors. A local user can trigger error conditions to cause a denial of service.
207) NULL pointer dereference (CVE-ID: CVE-2026-43152)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the hid-pl driver when using force feedback after a failed device probe. A local user can trigger force feedback on a device in this state to cause a denial of service.
208) Improper input validation (CVE-ID: CVE-2026-43150)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to improper input validation in the perf/arm-cmn driver when handling unsupported hardware configurations. A local user can use unsupported or unexpected CMN hardware configurations to cause memory corruption.
The issue arises from assumptions about maximum supported sizes and counts in the hardware topology.
209) Double free (CVE-ID: CVE-2026-43149)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in uhdlc_memclean() in the wan/fsl_ucc_hdlc component when cleaning up DMA-coherent buffers. A local user can trigger the cleanup of a crafted allocation state to cause a denial of service.
The issue arises because receive and transmit buffers are allocated together as a contiguous buffer but are freed as two separate buffers.
210) NULL pointer dereference (CVE-ID: CVE-2026-43148)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in parse_thread_groups() when parsing device tree thread group properties. A local user can trigger allocation failure conditions to cause a denial of service.
211) Deadlock (CVE-ID: CVE-2026-43147)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock in the SR-IOV handling logic when writing to sysfs entries to disable virtual functions and remove a PCI device. A local user can write crafted values to the sriov_numvfs and remove sysfs attributes to cause a denial of service.
The issue is triggered by recursive acquisition of pci_rescan_remove_lock during device removal.
212) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-43145)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a missing resource table in imx_rproc_elf_find_loaded_rsc_table() when starting firmware without a resource table. A local user can start crafted firmware lacking a resource table to cause a denial of service.
The issue occurs when the device tree contains an "rsc-table" entry but the current firmware does not provide a resource table.
213) Race condition (CVE-ID: CVE-2026-43143)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in mfd_of_node_list handling when accessing or modifying the list. A local user can trigger concurrent list operations to cause a denial of service.
214) Integer underflow (CVE-ID: CVE-2026-43141)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer underflow in ntb_hw_switchtec when handling an NTB configuration with zero memory window lookup tables. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs when the number of memory window lookup tables is set to zero.
215) Improper input validation (CVE-ID: CVE-2026-43140)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the HID magicmouse driver when processing a forged USB report descriptor. A local attacker can impersonate a magic mouse USB device to trigger a kernel crash.
This issue can be triggered by a fake USB device and is not expected to occur with actual magic mouse devices.
216) Use of Uninitialized Variable (CVE-ID: CVE-2026-43139)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in xfrm6_get_saddr() when handling IPv6 source address selection failures. A local user can trigger network operations that cause ipv6_dev_get_saddr() to fail and use the uninitialized address to cause a denial of service.
217) NULL pointer dereference (CVE-ID: CVE-2026-43137)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in hda_dai_get_ops in the snd_sof_intel_hda_common component when processing mismatched DAI links and topology data. A local user can trigger a broken topology configuration to cause a denial of service.
The issue can occur when the playback or capture widget is not set, including loopback capture for echo reference using the dummy DAI link.
218) Improper input validation (CVE-ID: CVE-2026-43136)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in hidpp_get_report_length() when parsing HID report descriptors from a USB device. An attacker with physical access can connect a fake USB gadget with a crafted report descriptor to cause a denial of service.
The issue is triggered when a report defines no valid fields.
219) Improper resource shutdown or release (CVE-ID: CVE-2026-43135)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in snd_cx23885_hw_params() when handling error conditions during DMA buffer setup. A local user can trigger an error path to cause a denial of service.
220) Improper input validation (CVE-ID: CVE-2026-43134)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass an encryption key size check.
The vulnerability exists due to improper input validation in the L2CAP LE connection request handling when processing L2CAP_LE_CONN_REQ packets. A remote attacker can send a specially crafted L2CAP_LE_CONN_REQ packet to bypass an encryption key size check.
221) Improper Initialization (CVE-ID: CVE-2026-43133)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in KVM nSVM VMLOAD/VMSAVE emulation when executing VMSAVE or VMLOAD in an L2 guest that is not intercepted by L1. A local user can execute crafted nested guest operations to cause a denial of service.
Exploitation requires a nested virtualization environment involving L1 and L2 guests.
222) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43132)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of error pointers in verity_fec_ctr() when creating dm-bufio clients. A local user can trigger a failure in dm_bufio_client_create() to cause a denial of service.
223) Improper input validation (CVE-ID: CVE-2026-43130)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper device state validation in dev-IOTLB flushing logic when detaching or releasing a PCIe device in scalable mode after the device link goes down. A local user can trigger device teardown for an inaccessible PCIe device to cause a denial of service.
The issue can hard-lock the system while releasing resources after a VM fails to connect to the PCIe device.
224) Double free (CVE-ID: CVE-2026-43128)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in RDMA umem dma-buf pinning logic when handling a failure in ib_umem_dmabuf_get_pinned_with_dma_device(). A local user can trigger a failure in dma-buf page mapping to cause a denial of service.
The issue occurs because the dma-buf may be unpinned on the failure path while the pinned flag remains set, leading to a second unpin during the release and revoke path.
225) NULL pointer dereference (CVE-ID: CVE-2026-43124)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a NULL return value in persistent_ram_vmap() when mapping the persistent ram buffer. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs when a failed vmap() call is treated as a successful mapping because a non-zero offset produces a non-NULL pointer, which can later lead to dereference of an invalid address.
226) NULL pointer dereference (CVE-ID: CVE-2026-43123)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fbcon when acquiring new framebuffer console info after fbcon_open() fails. A local user can trigger the vulnerable code path to cause a denial of service.
227) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43117)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of the superblock reference in the btrfs tracepoint event btrfs_sync_file() when overlay is used on top of btrfs. A local user can trigger file synchronization on the affected filesystem to cause a denial of service.
The issue occurs because the dentry superblock may resolve to the overlay superblock instead of the btrfs superblock.
228) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43114)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of stale bits in nft_set_pipapo_avx2 match functions in the netfilter pipapo set implementation when processing crafted set elements during avx2-based matching. A local user can load and reload a crafted pipapo set to cause a denial of service.
The issue occurs with avx2 matching functions and can cause a non-matching expired entry to be treated as a match after a set flush and reload operation.
229) Out-of-bounds read (CVE-ID: CVE-2026-43071)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in dentry_hashtable when processing lookups with dhash_entries set to 1. A local user can trigger filesystem lookup operations to cause a denial of service.
The issue occurs because a single hash bucket can cause an invalid shift calculation that leads to access of unallocated memory.
230) Out-of-bounds read (CVE-ID: CVE-2026-43038)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
231) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
232) Double free (CVE-ID: CVE-2026-43011)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to double free in x25_queue_rx_frame and x25_backlog_rcv when processing received x25 frames after alloc_skb failure. A local attacker can trigger the error path to cause a denial of service.
233) Improper Initialization (CVE-ID: CVE-2026-31693)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in cifs replay handling when replaying requests. A local user can trigger request replay to cause a denial of service.
234) Improper locking (CVE-ID: CVE-2026-31687)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in omap_gpio_probe() and omap_mpuio_driver registration when probing the gpio omap driver. A local user can trigger driver probing to cause a denial of service.
The issue can lead to a potential deadlock condition in the driver core.
235) Improper input validation (CVE-ID: CVE-2026-31685)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.
236) Out-of-bounds read (CVE-ID: CVE-2026-31682)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
237) Use-after-free (CVE-ID: CVE-2026-31669)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.
The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.
238) Improper access control (CVE-ID: CVE-2026-31668)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass routing policy restrictions.
The vulnerability exists due to improper access control in the seg6 lwtunnel dst_cache handling when processing input and output paths in different routing contexts. A local user can trigger packet processing through one path so that the other path reuses an incorrect cached destination to bypass routing policy restrictions.
The issue occurs because a single destination cache is shared between seg6_input_core() and seg6_output_core(), even though these paths may perform SID lookup under different routing contexts such as ingress-interface-based rules or VRF table separation.
239) Heap-based buffer overflow (CVE-ID: CVE-2026-31659)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in batadv_tt_prepare_tvlv_global_data() when processing an oversized global TT response from a remote originator. A remote attacker can advertise a large global TT to trigger a wrapped allocation and write past the end of the heap object to cause a denial of service or execute arbitrary code.
240) Use-after-free (CVE-ID: CVE-2026-31657)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the batman-adv BLA claim handling code when processing netlink claim dump operations or checking claims. A local user can trigger concurrent claim updates and reader access to dereference a freed backbone gateway pointer to cause a denial of service.
241) Integer underflow (CVE-ID: CVE-2026-31649)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information and cause memory corruption.
The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.
On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.
242) Improper input validation (CVE-ID: CVE-2026-31637)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in rxkad_decrypt_ticket() when processing a malformed RXKAD RESPONSE ticket with a non-block-aligned length. A remote attacker can send a specially crafted response ticket to cause a denial of service.
243) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
244) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-31478)
CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper buffer size calculation in smb2_calc_max_out_buf_len() when handling SMB2 compound read responses. A remote user can send a specially crafted SMB request to cause a denial of service.
245) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31448)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_ext_map_blocks() and ext4_xattr_block_set() when handling mkdir or mknod operations after a failed extent insertion. A local user can trigger filesystem operations that leave residual extent metadata to cause a denial of service.
The issue can result in an infinite loop and prolonged blocking while the inode lock is not released.
246) Double free (CVE-ID: CVE-2026-31436)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
247) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.
248) Improper input validation (CVE-ID: CVE-2026-31411)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in sigd_send() when handling sendmsg() input containing a forged vcc pointer. A local user can send a specially crafted message to cause a denial of service.
Exploitation requires control of the ATM signaling daemon role via the ATMSIGD_CTRL ioctl.
249) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.
The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.
250) Out-of-bounds read (CVE-ID: CVE-2026-23455)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.
251) NULL pointer dereference (CVE-ID: CVE-2026-23450)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.
The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.
252) Use-after-free (CVE-ID: CVE-2026-23450)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.
The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.
253) Use-after-free (CVE-ID: CVE-2026-23428)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in smb2_get_ksmbd_tcon compound request handling when processing crafted compound smb requests. A remote attacker can send a compound request that disconnects a tree connection and then triggers subsequent commands to dereference freed share_conf data to cause a denial of service.
The issue occurs because the compound request reuse path reuses work->tcon without validating that t_state remains TREE_CONNECTED after an SMB2_TREE_DISCONNECT operation.
254) Use After Free (CVE-ID: CVE-2026-23392)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
255) Resource exhaustion (CVE-ID: CVE-2026-23278)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the netfilter nf_tables component when processing transaction batches containing multiple catchall elements. A local user can provide a specially crafted batch request to cause a denial of service.
Exploitation requires the ability to inject or modify netfilter rules via the nf_tables interface, which is typically restricted to privileged users. The issue occurs during transaction abort processing, leading to a use-after-free condition that triggers a kernel warning and system instability.
256) Use After Free (CVE-ID: CVE-2026-23272)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.
Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.
257) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-23267)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in the F2FS filesystem's handling of checkpoint flags during atomic write operations when processing concurrent atomic commit and checkpoint writes. A local user can trigger a specially crafted sequence of atomic file operations to cause an inconsistency in the IS_CHECKPOINTED flag, leading to improper state management of node pages.
The issue arises specifically during atomic write scenarios where a concurrent checkpoint write completes before the atomic commit fully marks the page, resulting in incorrect flag state that can be exploited to manipulate filesystem metadata structures.
258) Symbolic Name not Mapping to Correct Object (CVE-ID: CVE-2026-23266)
CWE-ID: CWE-386 - Symbolic Name not Mapping to Correct Object
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide error in the fbdev: rivafb component when handling FBIOPUT_VSCREENINFO ioctl calls. A local user can send a specially crafted request to cause a divide error and crash the kernel.
The attacker can trigger the issue by calling FBIOPUT_VSCREENINFO on /dev/fb* with a malicious or misconfigured device that causes the state->mclk_khz value to be zero, leading to a division by zero in nv3_arb().
259) NULL Pointer Dereference (CVE-ID: CVE-2026-23249)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the XFS filesystem's btree revalidation functionality when handling ioctl requests. A local user can trigger a specially crafted ioctl request to cause a null pointer dereference and crash the system.
The attacker must have privileges to perform XFS filesystem scrub operations, which typically requires administrative privileges.
260) Out-of-bounds read (CVE-ID: CVE-2026-23243)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
261) NULL Pointer Dereference (CVE-ID: CVE-2026-23242)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the RDMA/siw component when processing incoming RDMA packets. A local user can trigger improper error handling to cause a denial of service.
Exploitation requires access to RDMA subsystem and the ability to send crafted packets over TCP. The vulnerability affects the siw (Soft iWarp) driver in the Linux kernel.
262) Insufficient logging (CVE-ID: CVE-2026-23241)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass audit logging for specific file operations.
The vulnerability exists due to improper input validation in the audit subsystem when handling getxattrat() and listxattrat() system calls. A local user can perform extended attribute retrieval operations on files to bypass configured audit rules intended to monitor read, write, and attribute access.
Successful exploitation requires the ability to execute system calls on files with extended attributes and existing audit rules that monitor attribute access. The impact includes reduced audit trail visibility, potentially enabling undetected access to sensitive files.
263) Improper error handling (CVE-ID: CVE-2026-23238)
CWE-ID: CWE-388 - Error Handling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the romfs_fill_super() function in fs/romfs/super.c. A local user can perform a denial of service (DoS) attack.
264) NULL pointer dereference (CVE-ID: CVE-2026-23237)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the cmpc_accel_sensitivity_show_v4(), cmpc_accel_sensitivity_store_v4(), cmpc_accel_g_select_show_v4(), cmpc_accel_g_select_store_v4(), cmpc_accel_open_v4(), cmpc_accel_sensitivity_show() and cmpc_accel_sensitivity_store() functions in drivers/platform/x86/classmate-laptop.c. A local user can perform a denial of service (DoS) attack.
265) Memory leak (CVE-ID: CVE-2026-23236)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ufx_ops_ioctl() function in drivers/video/fbdev/smscufx.c. A local user can perform a denial of service (DoS) attack.
266) Out-of-bounds read (CVE-ID: CVE-2026-23235)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the main_blkaddr_show(), f2fs_sbi_show() and __sbi_store() functions in fs/f2fs/sysfs.c. A local user can perform a denial of service (DoS) attack.
267) Use-after-free (CVE-ID: CVE-2026-23234)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the f2fs_write_end_io() function in fs/f2fs/data.c. A local user can escalate privileges on the system.
268) Buffer overflow (CVE-ID: CVE-2026-23233)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory corruption within the check_swap_activate() function in fs/f2fs/data.c. A local user can perform a denial of service (DoS) attack.
269) Input validation error (CVE-ID: CVE-2026-23230)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the fs/smb/client/cached_dir.h. A local user can perform a denial of service (DoS) attack.
270) Improper locking (CVE-ID: CVE-2026-23229)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the virtcrypto_done_task() function in drivers/crypto/virtio/virtio_crypto_core.c. A local user can perform a denial of service (DoS) attack.
271) Memory leak (CVE-ID: CVE-2026-23228)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ksmbd_tcp_new_connection() function in fs/smb/server/transport_tcp.c. A local user can perform a denial of service (DoS) attack.
272) Buffer overflow (CVE-ID: CVE-2026-23222)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the omap_crypto_copy_sg_lists() function in drivers/crypto/omap-crypto.c. A local user can escalate privileges on the system.
273) Use-after-free (CVE-ID: CVE-2026-23221)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the driver_override_show() function in drivers/bus/fsl-mc/fsl-mc-bus.c. A local user can escalate privileges on the system.
274) Infinite loop (CVE-ID: CVE-2026-23220)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the __process_request() function in fs/smb/server/server.c. A local user can perform a denial of service (DoS) attack.
275) Improper locking (CVE-ID: CVE-2026-23169)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the __reset_counters() function in net/mptcp/pm_kernel.c. A local user can perform a denial of service (DoS) attack.
276) Incorrect calculation (CVE-ID: CVE-2026-23100)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation within the include/linux/hugetlb.h. A local user can perform a denial of service (DoS) attack.
277) Integer overflow (CVE-ID: CVE-2025-71305)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer underflow leading to a shift-out-of-bounds condition in drm_dp_atomic_release_time_slots in the drm/display/dp_mst subsystem when releasing DisplayPort MST timeslots after a monitor disconnect event. A local user can trigger a crafted hotplug and disconnect sequence to cause a denial of service.
The issue can occur when delayed destroy work runs after a DP 2.1 monitor is disconnected, causing the VCPI value to become 0.
278) Improper control of a resource through its lifetime (CVE-ID: CVE-2025-71304)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in /smack/doi handling when reusing a previously written DOI value. A local user can write a previously used value to /smack/doi to cause a denial of service.
Networking for non-ambient labels is disrupted because the default IPv4 domain map is not restored.
279) Improper input validation (CVE-ID: CVE-2025-71297)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in rtw8822b_set_antenna() and rtw8822b_config_trx_mode() when handling userspace antenna configuration requests while the chip is powered off. A local user can send a crafted netlink request to trigger a kernel warning and cause a denial of service.
The issue is triggered when the device is powered off.
280) NULL pointer dereference (CVE-ID: CVE-2025-71295)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in try_to_free_buffers() when releasing a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. A local user can trigger this code path to cause a denial of service.
The issue occurs when the folio has no buffers attached.
281) NULL pointer dereference (CVE-ID: CVE-2025-71294)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in buffer_funcs in the amdgpu driver when handling operations with SDMA block disabled. A local user can trigger the vulnerable code path to cause a denial of service.
Exploitation requires the SDMA block to be disabled.
282) Integer overflow (CVE-ID: CVE-2025-71292)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in jfs_rename when renaming a child directory within the same parent directory while the parent directory link count is at its maximum value. A local user can rename a child directory in such a directory to cause a denial of service.
The issue can trigger a kernel warning when the directory link count wraps around to 0.
283) NULL pointer dereference (CVE-ID: CVE-2025-71291)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null-pointer dereference in bcm_vk_read() when handling message data. A local user can trigger a code path where a potentially NULL entry pointer is dereferenced to cause a denial of service.
284) Heap-based buffer overflow (CVE-ID: CVE-2025-71286)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in ipc4-topology bytes controls when processing topology data. A local user can supply crafted topology data to cause a denial of service.
285) Use-after-free (CVE-ID: CVE-2025-71274)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in driver_override_show() when reading the driver_override string concurrently with updates. A local user can trigger concurrent read and write operations to cause a denial of service.
286) Memory leak (CVE-ID: CVE-2025-71273)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in rtw_register_hw() when handling error paths during supported band registration. A local user can trigger the vulnerable code path to cause a denial of service.
287) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2025-71272)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a resource leak in most_register_interface() when handling error paths before device registration. A local user can trigger an error condition to cause a denial of service.
288) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71267)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system driver when processing a malformed NTFS image with a zero-sized ATTR_LIST attribute. A local attacker can mount a specially crafted NTFS image to cause a denial of service.
The attacker needs physical or local access to insert or mount the malicious NTFS image; no authentication beyond mounting the filesystem is required. The system becomes unresponsive during mount due to an infinite loop in kernel space.
289) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71266)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the ntfs3 filesystem when handling a malformed dentry during lookup operations. A local attacker can provide a specially crafted NTFS-3 volume to cause a denial of service.
The attacker manipulates the HAS_SUB_NODE flag and VCN pointer in an INDEX_ENTRY, causing the indx_find() function to enter an infinite loop, repeatedly allocating memory until system resources are exhausted.
290) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71265)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system's attr_load_runs_range function when processing inconsistent metadata. A local attacker can provide a malformed NTFS image to cause a denial of service.
The attacker-controlled NTFS image contains inconsistent metadata where an attribute header indicates an empty run list (evcn=-1 with svcn=0), but directory entries reference it as containing data. After a successful but empty run_unpack() call, the runs_tree remains uninitialized, causing subsequent run_lookup_entry() calls to fail and vcn to increment by zero, resulting in an infinite loop.
291) Insufficient logging (CVE-ID: CVE-2025-71239)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass audit logging.
The vulnerability exists due to improper audit event classification in the audit subsystem when handling the fchmodat2() system call. A local user can invoke fchmodat2() to change file attributes in a manner similar to chmod() or fchmodat(), which bypasses existing audit rules designed to monitor such operations.
The vulnerability specifically affects audit rules that monitor file attribute changes, allowing unauthorized attribute modifications to go unlogged. Authentication and local access are required to exploit this vulnerability.
292) Double free (CVE-ID: CVE-2025-71238)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the qla2x00_update_optrom() function in drivers/scsi/qla2xxx/qla_bsg.c. A local user can perform a denial of service (DoS) attack.
293) Improper locking (CVE-ID: CVE-2025-71237)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the nilfs_sufile_trim_fs() function in fs/nilfs2/sufile.c. A local user can perform a denial of service (DoS) attack.
294) Use-after-free (CVE-ID: CVE-2025-71236)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the qla_fab_async_scan() function in drivers/scsi/qla2xxx/qla_gs.c. A local user can escalate privileges on the system.
295) Use-after-free (CVE-ID: CVE-2025-71235)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the qla2x00_wait_for_hba_ready() function in drivers/scsi/qla2xxx/qla_os.c. A local user can escalate privileges on the system.
296) NULL pointer dereference (CVE-ID: CVE-2025-71233)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the pci_ep_cfs_add_type_group() and pci_epf_make() functions in drivers/pci/endpoint/pci-ep-cfs.c. A local user can perform a denial of service (DoS) attack.
297) Improper locking (CVE-ID: CVE-2025-71232)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the qla_fab_async_scan() function in drivers/scsi/qla2xxx/qla_gs.c. A local user can perform a denial of service (DoS) attack.
298) Out-of-bounds read (CVE-ID: CVE-2025-71231)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the function in drivers/crypto/intel/iaa/iaa_crypto_main.c. A local user can perform a denial of service (DoS) attack.
299) Resource management error (CVE-ID: CVE-2025-71229)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the rtw_core_enable_beacon() function in drivers/net/wireless/realtek/rtw88/main.c. A local user can perform a denial of service (DoS) attack.
300) Improper locking (CVE-ID: CVE-2025-40005)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the cqspi_indirect_read_execute(), cqspi_indirect_write_execute(), cqspi_exec_mem_op(), cqspi_probe() and cqspi_remove() functions in drivers/spi/spi-cadence-quadspi.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.