SB2026070840 - SUSE update for the Linux Kernel
Published: July 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 89 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-46274)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free in io_wq_remove_pending() and hash_tail handling in io_uring when cancelling hashed bucket-0 work with a non-hashed predecessor in the work list. A local user can trigger cancellation and subsequent hashed work insertion to execute arbitrary code.
The dangling pointer can persist for the lifetime of the task because the io_wq is per-task and survives ring open and close operations.
2) Use-after-free (CVE-ID: CVE-2026-52943)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a use-after-free in pskb_carve_inside_header() and pskb_carve_inside_nonlinear() when copying skb_shared_info for MSG_ZEROCOPY skbs. A local user can trigger repeated zerocopy skb operations to escalate privileges.
The issue is caused by copying the destructor_arg pointer into a new skb_shared_info without incrementing the associated zerocopy reference count, which can prematurely free ubuf_info_msgzc while transmit skbs still hold live references.
3) Use-after-free (CVE-ID: CVE-2026-52923)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ipc_idr_alloc() in the checkpoint/restore SysV IPC allocation path when processing a request for the next SysV IPC id. A local user can request allocation beyond the valid IPC id range to cause a denial of service.
A subsequent walk of /proc/sysvipc/shm can dereference freed memory through a stale IDR entry.
4) Race condition (CVE-ID: CVE-2026-52918)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in bt_sock_poll() and the Bluetooth accept queue when polling Bluetooth sockets. A local user can trigger concurrent socket teardown and accept queue access to cause a denial of service.
The issue occurs because the accept queue is walked without synchronization while child teardown can unlink a socket and drop its last reference.
5) Improper access control (CVE-ID: CVE-2026-52909)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to move a fallback tunnel device to another network namespace.
The vulnerability exists due to improper access control in the ip6_vti fallback tunnel device initialization when initializing the per-network-namespace fallback device. A local user can move the ip6_vti0 device to another network namespace to move a fallback tunnel device to another network namespace.
The issue affects the per-netns fallback tunnel device ip6_vti0.
6) Improper access control (CVE-ID: CVE-2026-52908)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain write access to memory regions that were not properly pinned as writable.
The vulnerability exists due to improper access control in RDMA memory region re-registration handling when changing IB_MR_REREG_ACCESS from read-only to read-write. A local user can re-register a memory region with writable access to gain write access to memory regions that were not properly pinned as writable.
The issue occurs when a driver reuses an existing umem during memory region re-registration.
7) Out-of-bounds write (CVE-ID: CVE-2026-46331)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.
The issue can involve negative offsets such as Ethernet header edits at ingress.
8) Incorrect calculation (CVE-ID: CVE-2026-46328)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of rlimit updates in AppArmor resource limit enforcement when transitioning rlimits for posix cpu timers. A local user can trigger an incorrect cpu time limit update to cause a denial of service.
The issue affects systems with posix timers enabled.
9) Improper resource shutdown or release (CVE-ID: CVE-2026-46320)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in tap_get_user_xdp() when processing XDP frames. A local user can send a crafted short frame or trigger skb allocation failure to cause a denial of service.
Each rejected frame in a batch leaks one page-frag chunk.
10) Use-after-free (CVE-ID: CVE-2026-46319)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a use-after-free race condition in tcf_ct_flow_table_get() in net/sched/act_ct.c when looking up a flow table and incrementing its reference count. A local user can trigger the race during act_ct initialization to escalate privileges.
The race window is very short and occurs after the flow table object is returned from the hash table lookup but before its reference count is successfully incremented.
11) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-46291)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in hash_digest_key in the caam hash implementation when debug hex dumps are generated with CONFIG_DYNAMIC_DEBUG enabled. A local user can read exposed HMAC key bytes from debug output to disclose sensitive information.
The issue affects HMAC key material handled by the CAAM crypto driver.
12) Out-of-bounds write (CVE-ID: CVE-2026-46289)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in extract_kvec_to_sg in lib/scatterlist.c when extracting a kvec into a scatterlist. A local user can trigger the function with crafted kvec data to cause a denial of service.
13) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-52954)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of duplicate rbtree keys in decode_choose_args() when processing a crafted CEPH_MSG_OSD_MAP message containing duplicate choose_args_index values. A remote attacker can send a specially crafted message to cause a denial of service.
14) Improper input validation (CVE-ID: CVE-2026-46266)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to alter forwarding and path MTU exception handling state.
The vulnerability exists due to improper input validation in RAW socket handling in the IPv4 and IPv6 ICMP error delivery paths when processing malicious incoming ICMP packets with an embedded packet header using protocol 255. A remote attacker can send a specially crafted ICMP packet to alter forwarding and path MTU exception handling state.
Exploitation requires the presence of a RAW socket created with IPPROTO_RAW.
15) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46254)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of unaligned memory access in AppArmor dfa table unpacking in security/apparmor/match.c when parsing a crafted AppArmor dfa blob. A local user can supply a specially crafted policy blob to trigger unaligned memory access and cause a denial of service.
The issue can be triggered by dfa tables originating from userspace, and it affects architectures that fault on unaligned memory accesses.
16) Heap-based buffer overflow (CVE-ID: CVE-2026-46253)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow and an out-of-bounds read in persistent_ram_save_old() and ramoops_pstore_read() when processing persistent crash records after repeated calls for the same persistent_ram_zone. A local user can trigger a survivable crash sequence with a larger subsequent record to cause a denial of service.
Exploitation requires a prior crash record that did not fill the record size, pstore_update_ms to be enabled, and a non-fatal oops so the system continues running.
17) Improper Initialization (CVE-ID: CVE-2026-46229)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in the KFD VRAM allocation path when allocating VRAM buffers for compute kernels. A local user can allocate VRAM buffers and observe stale data from prior use to disclose sensitive information.
Stale page table remnants may be exposed in user buffers.
18) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46214)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper state management in virtio_transport_recv_listen() when handling connection attempts with a transport mismatch. A remote attacker can trigger repeated transport mismatch failures to cause a denial of service.
After enough such failures, the listener rejects all new connections because the accept queue backlog count remains permanently incremented.
19) Out-of-bounds read (CVE-ID: CVE-2026-46185)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in symlink_data() when processing an SMB2 symlink error response. A remote attacker can send a specially crafted SMB2 response to disclose sensitive information.
The issue can occur when the response buffer is shorter than the expected SMB2 error response structure.
20) Use-after-free (CVE-ID: CVE-2026-46173)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to use-after-free in make_task_dead()/do_task_dead() task exit handling when an already-exiting task oopses during task exit. A local user can trigger an oops in a file_operations::release handler to cause memory corruption.
This can result in two tasks running on the same stack.
21) Out-of-bounds read (CVE-ID: CVE-2026-46133)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rxe_icrc_hdr() and opcode handling in the Soft RoCE receive path when processing a specially crafted UDP packet with an unknown RDMA opcode. A remote attacker can send a specially crafted UDP packet to trigger an out-of-bounds read and cause a denial of service.
The issue can be triggered without authentication after the RDMA RXE interface is enabled, and no queue pair or connection setup is required.
22) Improper input validation (CVE-ID: CVE-2026-46124)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in isofs_export_iget when processing block numbers from NFS file handles. A remote user can send a crafted NFS file handle to disclose sensitive information.
Exploitation requires an authenticated NFS peer and affects isofs exported over NFS from loop-mounted images.
23) Use-after-free (CVE-ID: CVE-2026-46116)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __xfrm_state_delete when deleting xfrm_state list entries during xfrm_state lifecycle handling. A local user can trigger repeated deletion of the same xfrm_state object to cause a denial of service.
The issue was reproduced under syzkaller load during network namespace cleanup in the xfrm subsystem.
24) Use-after-free (CVE-ID: CVE-2026-53072)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in hci_conn_request_evt() when handling deferred Bluetooth connection requests. A local user can trigger concurrent connection handling to cause a denial of service.
Only SCO deferred setup listen code paths are affected.
25) Out-of-bounds write (CVE-ID: CVE-2026-53362)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt kernel memory.
The vulnerability exists due to an out-of-bounds write in __ip6_append_data() when processing UDPv6 socket data with MSG_MORE and MSG_SPLICE_PAGES on the paged allocation path. A local user can send crafted data through a UDPv6 socket to corrupt kernel memory.
The issue occurs when fraggap is non-zero and the paged-allocation branch is taken, causing writes past skb->end into trailing skb_shared_info.
26) Use-after-free (CVE-ID: CVE-2026-53359)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the KVM x86 shadow paging logic when changing a PDE mapping from outside the guest and deleting a memslot. A local user can trigger stale rmap entries and subsequent dereference of a freed sptep to cause a denial of service.
The issue occurs when a modified PDE points to a non-leaf page, causing a role mismatch between reused shadow pages for large 2MB mappings and new 4KB mappings.
27) Insufficient Logging (CVE-ID: CVE-2026-53287)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to conceal capability changes in audit records.
The vulnerability exists due to incorrect data recording in __audit_log_capset() in the audit subsystem when logging CAPSET operations. A local user can modify inheritable capabilities to conceal capability changes in audit records.
This can mask preparation for a privilege-escalating exec in audit data used for compliance and forensic analysis.
28) Use-after-free (CVE-ID: CVE-2026-53281)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a NULL pointer dereference and use-after-free in the Intel VT-d IOMMU PASID teardown logic when detaching a domain that was not attached to the IOMMU or when a PASID entry is not found. A local user can trigger teardown operations on an invalid or missing PASID association to cause a denial of service or execute arbitrary code.
The issue can also corrupt reference counts, which may prematurely drop a shared domain reference to zero for remaining active devices.
29) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53266)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory handling in the ebtables SNAT target ARP sender hardware address rewrite in net/bridge/netfilter/ebt_snat.c when processing ARP packets in bridge netfilter hooks. A local user can trigger ARP sender hardware address rewriting on a crafted nonlinear skb to cause a denial of service.
Exploitation requires the ARP sender hardware address rewrite path to be reached with a nonlinear skb fragment backed by a splice-imported file page.
30) Out-of-bounds read (CVE-ID: CVE-2026-53253)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in bnep_rx_frame() and bnep_rx_control() in the BNEP packet parser when processing short BNEP frames. A remote attacker can send a specially crafted short BNEP SDU to cause a denial of service.
The issue is triggered by malformed control packets with missing fixed fields or an empty control payload.
31) Improper input validation (CVE-ID: CVE-2026-53182)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in nl80211_parse_rnr_elems() when parsing nested NL80211_ATTR_EMA_RNR_ELEMS input. A local user can send a specially crafted nl80211 message to cause a denial of service.
The issue is related to the element count being stored in a u8-backed cfg80211_rnr_elems::cnt field and incremented past its supported limit.
32) Out-of-bounds read (CVE-ID: CVE-2026-53138)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service or disclose sensitive information.
The vulnerability exists due to an out-of-bounds read and unbounded iteration in amd display bios_parser.c and bios_parser2.c record-chain walk loops when parsing a malformed VBIOS image during probe time. An attacker with physical access can provide a crafted VBIOS image missing the terminator record to cause a denial of service or disclose sensitive information.
The issue is triggered when the VBIOS record chain lacks the 0xFF terminator record or uses a zero-sized termination condition incorrectly.
33) Integer overflow (CVE-ID: CVE-2026-53133)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer overflow in __rdma_block_iter_next() in the RDMA umem block iterator when reassembling split scatter-gather entries during IOMMU-backed mapping linearization. A local user can trigger processing of a very large mapped block to cause a denial of service.
The issue occurs for block sizes greater than or equal to 4G when a single large block is split across multiple scatter-gather entries.
34) Deadlock (CVE-ID: CVE-2026-53122)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the btrfs reflink operation when processing reflink operations with the flushoncommit mount option enabled. A local user can trigger a reflink of an inline extent to an offset beyond the destination inode size to cause a denial of service.
Exploitation requires the flushoncommit mount option and a reflink operation that copies an inline extent beyond the current i_size of the destination inode.
35) Improper locking (CVE-ID: CVE-2026-46112)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt memory.
The vulnerability exists due to improper locking in hns_roce_create_qp_common() and hns_roce_qp_remove() when handling error unwind during queue pair creation. A local user can trigger the error path to corrupt memory.
36) Race condition (CVE-ID: CVE-2026-53071)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to corrupt kernel memory.
The vulnerability exists due to a race condition in l2cap_ecred_reconf_rsp in the L2CAP subsystem when processing a crafted L2CAP ECRED reconfiguration response from a remote BLE device. A remote attacker can send a specially crafted L2CAP ECRED reconfiguration response to corrupt kernel memory.
Exploitation requires concurrent channel list iteration by another thread.
37) Improper access control (CVE-ID: CVE-2026-53053)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access of device identifier data in clone_alias() in the AMD IOMMU subsystem when processing PCI DMA aliases. A local user can trigger alias cloning for a device to cause a denial of service.
Incorrect source device identifiers can cause wrong or stale device table entries to be propagated to an alias device.
38) Memory corruption (CVE-ID: CVE-2026-53052)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to incorrect memory access in the qdsp6 topology widget unload handler when processing a virtual widget without checking its type before accessing private data. A local user can trigger the vulnerable code path to cause a denial of service.
39) Improper input validation (CVE-ID: CVE-2026-53041)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ocfs2 xattr list handling logic when processing listxattr requests for inodes with both inline and block-based extended attributes. A local user can invoke listxattr on a crafted OCFS2 inode state to cause a denial of service.
The issue occurs when inline extended attribute names exactly consume the caller buffer and additional block-based extended attribute names are present.
40) Out-of-bounds read (CVE-ID: CVE-2026-53040)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the ocfs2 freefrag scan logic in fs/ocfs2/ioctl.c when processing a crafted filesystem through OCFS2_IOC_INFO with OCFS2_INFO_FL_NON_COHERENT. A local user can supply a crafted filesystem and issue the ioctl request to cause a denial of service.
The issue occurs in the non-coherent scan path, which reads raw group descriptor blocks without the validation performed by the coherent path.
41) Out-of-bounds write (CVE-ID: CVE-2026-53016)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in ccp_aes_complete() when processing AF_ALG rfc3686-ctr-aes-ccp requests. A local user can supply a request with an 8-byte IV to cause a denial of service.
42) Integer overflow (CVE-ID: CVE-2026-52972)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in the af_alg control message handler when processing a crafted associated data length value for AEAD operations. A local user can send a specially crafted message to cause a denial of service.
43) Out-of-bounds write (CVE-ID: CVE-2026-52969)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in kvm_reset_dirty_gfn() and the KVM dirty ring handling logic when processing rewritten dirty ring entries from a vcpu file descriptor. A local user can modify slot and offset fields in crafted dirty ring entries to cause memory corruption.
The issue is reachable from a process holding /dev/kvm and affects the legacy MMU path with shadow paging, allocated shadow roots, or a write-tracked slot.
44) Memory leak (CVE-ID: CVE-2026-52962)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in __ceph_setxattr() when retrying extended attribute updates. A local user can trigger repeated setxattr operations to cause a denial of service.
45) NULL pointer dereference (CVE-ID: CVE-2026-52957)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in decode_choose_args() when processing a crafted CEPH_MSG_OSD_MAP message containing a crush_choose_arg_map with a bucket index that refers to a NULL bucket. A remote attacker can send a specially crafted message to cause a denial of service.
46) Out-of-bounds read (CVE-ID: CVE-2026-43034)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in bnxt_hwrm_func_backing_store_qcaps_v2() when processing firmware responses for backing-store capability queries. A local user can trigger the vulnerable code path to cause a denial of service.
47) Use of Uninitialized Variable (CVE-ID: CVE-2026-43139)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in xfrm6_get_saddr() when handling IPv6 source address selection failures. A local user can trigger network operations that cause ipv6_dev_get_saddr() to fail and use the uninitialized address to cause a denial of service.
48) Double free (CVE-ID: CVE-2026-43128)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in RDMA umem dma-buf pinning logic when handling a failure in ib_umem_dmabuf_get_pinned_with_dma_device(). A local user can trigger a failure in dma-buf page mapping to cause a denial of service.
The issue occurs because the dma-buf may be unpinned on the failure path while the pinned flag remains set, leading to a second unpin during the release and revoke path.
49) Improper input validation (CVE-ID: CVE-2026-43107)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in xfrm_get_ae() and xfrm_aevent_msgsize() when handling malformed netlink interactions for xfrm aevent messages. A local user can send a malformed netlink interaction to cause a denial of service.
The issue is triggered for states with if_id set, where the reply skb size calculation does not account for the XFRMA_IF_ID attribute.
50) Improper input validation (CVE-ID: CVE-2026-43093)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in xdp_umem_reg() when registering UMEM with insufficient headroom and tailroom. A local user can supply a crafted UMEM configuration to cause a denial of service.
The issue can leave insufficient space for a minimum-sized ethernet frame and may corrupt skb_shared_info stored at the end of an XSK frame when multi-buffer operation is involved.
51) Improper Initialization (CVE-ID: CVE-2026-43089)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_mapping() when copying xfrm_usersa_id structures to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by a one-byte padding hole after the proto field that is not cleared before the structure is copied out.
52) NULL pointer dereference (CVE-ID: CVE-2026-43086)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in ip_vs_add_service error handling when processing a crafted IPVS service configuration that causes ip_vs_start_estimator() to fail after a scheduler has been successfully bound. A local user can trigger the vulnerable error path to cause a denial of service.
The issue results in a kernel panic.
53) Use of uninitialized resource (CVE-ID: CVE-2026-43085)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an uninitialized memory use in nfnetlink_log NLMSG_DONE terminator handling when batching multiple NFLOG messages. A local user can trigger generation of a crafted NLMSG_DONE message to disclose sensitive information.
Four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body when the queue length is greater than one.
54) Improper input validation (CVE-ID: CVE-2026-43081)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in GENERIC_CMD register field masks in the net/ipa component when handling stop commands for the MPSS remote processor while IPA is active. A local user can trigger the affected operation to cause a denial of service.
The issue was observed as a kernel WARN when sending a stop command to the MPSS remote processor while IPA was up.
55) Integer overflow (CVE-ID: CVE-2026-43080)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in l2tp_xmit_core when processing oversized PPPoL2TP packets with UDP encapsulation. A local user can send an oversized packet to trigger a kernel warning and cause a denial of service.
The issue occurs because the UDP length field is 16-bit and the oversized length value is truncated.
56) Out-of-bounds write (CVE-ID: CVE-2026-43079)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in uncore_pci_pmu_register() when parsing the discovery table for offline dies. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can be triggered when NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0.
57) Out-of-bounds read (CVE-ID: CVE-2026-43233)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_choice() in nf_conntrack_h323 when processing a crafted Q.931 SETUP message containing a User-User Information Element with PER-encoded data. A remote attacker can send a specially crafted network message to disclose sensitive information.
Exploitation requires the nf_conntrack_h323 helper to be active and can be triggered via port 1720.
58) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43022)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper exception handling in hci_cmd_sync_queue_once() when queuing command items. A local user can trigger duplicate queueing conditions to cause a denial of service.
The issue can lead to resource leaks when an already queued item is not reported to the caller.
59) Improper input validation (CVE-ID: CVE-2026-43010)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in bpf_kprobe_multi_link_attach() when attaching a sleepable kprobe_multi program. A local user can attach a sleepable program that invokes sleepable helpers from a non-sleepable context to cause a denial of service.
The issue is triggered because kprobe.multi programs run in atomic/RCU context and cannot sleep.
60) Resource exhaustion (CVE-ID: CVE-2026-31677)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in af_alg_get_rsgl() when processing recvmsg calls with data extraction into the RX scatterlist. A local user can send a specially crafted recvmsg request to cause a denial of service.
61) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31670)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the rfkill event handling logic when userspace creates rfkill events without consuming them from the rfkill file descriptor. A local user can create an unlimited number of pending rfkill events to cause a denial of service.
The issue can lead to an out-of-memory condition on systems configured to allow userspace to create such events.
62) Type Confusion (CVE-ID: CVE-2026-31502)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to type confusion in team header_ops handling when processing header operations on non-Ethernet ports. A local user can trigger crafted network device interactions to cause a denial of service.
The issue can be triggered in stacked non-Ethernet topologies where inherited header callbacks are invoked with the wrong net_device context.
63) Race condition (CVE-ID: CVE-2026-31466)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.
The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().
64) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31462)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the amdgpu PASID allocation logic when reusing a PASID immediately after process exit. A local user can trigger immediate PASID reuse to cause a denial of service.
Pending page faults may still remain in the IH ring buffer from the previous process when the PASID is reused.
65) Race condition (CVE-ID: CVE-2026-31450)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
66) Infinite loop (CVE-ID: CVE-2026-23451)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in bond_header_parse() when parsing packet headers in a stack of two bonding devices. A local attacker can trigger packet processing in this configuration to cause a denial of service.
The issue occurs because device recursion can remain bounded to the hierarchy top, leading to repeated parsing instead of reaching the final leaf parse method.
67) NULL pointer dereference (CVE-ID: CVE-2025-71294)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in buffer_funcs in the amdgpu driver when handling operations with SDMA block disabled. A local user can trigger the vulnerable code path to cause a denial of service.
Exploitation requires the SDMA block to be disabled.
68) Double free (CVE-ID: CVE-2026-45891)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in hns3_set_ringparam() and the ring cleanup path when handling ring reconfiguration after a memory allocation failure. A local user can trigger ring parameter changes that lead to a failed ring initialization to cause a denial of service.
The issue is caused by a stale dangling pointer in the tx_spare field that is mistaken for a newly allocated buffer during error cleanup.
69) Improper access control (CVE-ID: CVE-2026-46076)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass hypercall interception controls.
The vulnerability exists due to improper access control in KVM nested SVM handling when processing VMMCALL from an L2 guest. A remote user can invoke an unhandled VMMCALL to bypass hypercall interception controls.
Exploitation requires an active nested virtualization scenario where L2 is running, L1 does not intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is not one of the supported Hyper-V hypercalls.
70) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46071)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in nested_svm_vmexit() and vmcb12 handling when copying last branch records. A local user can trigger a nested SVM VM exit to cause a denial of service.
The issue affects nested virtualization on AMD SVM.
71) Use-after-free (CVE-ID: CVE-2026-46069)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in mwifiex_adapter_cleanup() when cleaning up the adapter while the wakeup timer callback is still executing. A local user can trigger device removal during this race condition to cause a denial of service.
72) Use-after-free (CVE-ID: CVE-2026-46065)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in fbdev deferred I/O handling when accessing a memory mapping after device hot-unplug. A local user can keep an active mapping of graphics memory and access it after hot-unplug to cause a denial of service.
Access to the invalidated mapping may result in a SIGBUS signal.
73) Deadlock (CVE-ID: CVE-2026-46063)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in shadow stack signal frame handling during sigreturn when reading the shadow stack signal frame from userspace. A local user can trigger a page fault during sigreturn to cause a denial of service.
The issue can occur when a writer on another CPU is waiting on the mmap lock, leading to a deadlock in the fault handling path.
74) Double free (CVE-ID: CVE-2026-46053)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in __rds_rdma_map() when copying the generated cookie back to user space. A local user can trigger a copy error after memory region registration succeeds to cause a denial of service.
75) Race condition (CVE-ID: CVE-2026-46028)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.
The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.
76) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45985)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper extent state handling in ext4_split_convert_extents() when allocating blocks during within-EOF direct I/O and writeback with dioread_nolock enabled. A local user can trigger a failed direct I/O write that splits an unwritten extent to disclose sensitive information.
The issue can occur when a temporary ENOSPC condition happens during extent splitting, causing inconsistency between the on-disk extent state and the extent status tree.
77) Memory leak (CVE-ID: CVE-2026-45948)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ext4_ext_shift_extents() when shifting extents. A local user can trigger the vulnerable code path to cause a denial of service.
78) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45912)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4 extent status tree handling when splitting an unwritten extent during direct I/O writes. A local user can trigger extent splitting and subsequent delayed buffer writes to cause a denial of service.
The issue can leave a stale hole extent in the extent status tree, leading to errors in space accounting.
79) Memory leak (CVE-ID: CVE-2025-40341)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the SYSCALL_DEFINE2(), SYSCALL_DEFINE3() and COMPAT_SYSCALL_DEFINE3() functions in kernel/futex/syscalls.c. A local user can perform a denial of service (DoS) attack.
80) NULL pointer dereference (CVE-ID: CVE-2026-45848)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in aa_sock_file_perm when handling socket setup or teardown. A local user can trigger the vulnerable code path to cause a denial of service.
The issue is reachable for older af_unix mediation and other socket types.
81) Out-of-bounds read (CVE-ID: CVE-2026-45838)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cgroup_storage_get_next_key() when processing end-of-list conditions for cgroup storage map keys. A local user can trigger the function on the last list element to disclose sensitive information.
The issue occurs because the code reads a key from a bogus pointer that aliases internal map fields and copies the result to userspace.
82) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43502)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in rds_message_purge() in the net/rds subsystem when cleaning up a failed zerocopy send before the message is queued. A local user can trigger an early zerocopy send failure to cause a denial of service.
The issue occurs after user pages have been pinned but before the message is attached to the sending socket.
83) Integer underflow (CVE-ID: CVE-2026-43492)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer underflow in mpi_read_raw_from_sgl() when processing a crafted scatterlist during a KEYCTL_PKEY_ENCRYPT system call. A local user can supply an input buffer of zeroes with a larger out_len than in_len to cause a denial of service.
The issue can cause the kernel to spin forever, resulting in soft lockup splats.
84) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43472)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in unshare_fs() when handling unshare(2) requests with CLONE_NEWNS together with additional namespace flags that can fail after mount namespace creation. A local user can invoke unshare(2) in this state to cause a denial of service.
The issue can leave the calling process with pwd and root pointing to detached isolated mounts after unshare(2) fails, such as after an -ENOMEM error during cgroup namespace setup.
85) Type Confusion (CVE-ID: CVE-2026-43456)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to type confusion in bond_setup_by_slave() when handling header operations for a bonded non-Ethernet slave device. A local user can enslave a non-Ethernet device such as a GRE tunnel to a bond and trigger packet transmission to cause a denial of service.
The issue is triggered because header callbacks from the slave device are invoked with the bond device context, causing device-specific private data to be interpreted as the wrong type.
86) Race condition (CVE-ID: CVE-2026-43420)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ceph_unlink() when processing asynchronous unlink operations. A local user can trigger concurrent unlink completion handling to cause a denial of service.
Only the asynchronous unlink code path is affected.
87) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-43336)
CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to missing zeroization of sensitive data in the ChaCha implementation in lib/crypto/chacha when processing cryptographic state on the stack. A local user can read residual stack memory to disclose sensitive information.
The permuted state is sufficient to reconstruct the original state, including the key.
88) Use-after-free (CVE-ID: CVE-2026-43303)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the swap subsystem when handling stale page->private values on reallocated and split pages. A local user can trigger swapoff operations after causing affected page state reuse to cause a denial of service.
The issue occurs because tail pages can retain stale page->private values after split_page(), leading swap_count_continued() to follow an invalid continuation list and access poisoned list entries.
89) Division by zero (CVE-ID: CVE-2026-43238)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide-by-zero error in tcf_skbedit_hash() when processing skbedit hash-based tx queue selection with a queue mapping range covering all possible u16 queue IDs. A local user can configure a crafted queue mapping range to cause a denial of service.
Remediation
Install update from vendor's website.