SB2026070872 - SUSE update for the Linux Kernel



SB2026070872 - SUSE update for the Linux Kernel

Published: July 8, 2026

Security Bulletin ID SB2026070872
CSH Severity
High
Patch available
YES
Number of vulnerabilities 171
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 1% Medium 12% Low 88%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 171 vulnerabilities.


1) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLB invalidation completion handling in the arm64 TLB invalidation logic when performing memory accesses translated by an invalidated TLB entry after a TLBI;DSB sequence. A local user can trigger affected memory access patterns to cause a denial of service.

The issue affects only the completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


2) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLBI completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory management activity to cause a denial of service.

The issue affects completion of memory accesses translated by an invalidated TLB entry, while TLB invalidation itself still occurs correctly.


3) Improper locking (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory synchronization in broadcast TLB invalidation completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory access patterns that rely on invalidated TLB entries to cause a denial of service.

The issue affects only completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


4) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


5) Resource management error (CVE-ID: CVE-2025-40216)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the io_uring/rsrc.h. A local user can perform a denial of service (DoS) attack.


6) Memory leak (CVE-ID: CVE-2025-40341)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the SYSCALL_DEFINE2(), SYSCALL_DEFINE3() and COMPAT_SYSCALL_DEFINE3() functions in kernel/futex/syscalls.c. A local user can perform a denial of service (DoS) attack.


7) Use-after-free (CVE-ID: CVE-2025-68822)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the alps_disconnect() function in drivers/input/mouse/alps.c. A local user can escalate privileges on the system.


8) NULL pointer dereference (CVE-ID: CVE-2025-71294)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in buffer_funcs in the amdgpu driver when handling operations with SDMA block disabled. A local user can trigger the vulnerable code path to cause a denial of service.

Exploitation requires the SDMA block to be disabled.


9) Infinite loop (CVE-ID: CVE-2026-23451)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to an infinite loop in bond_header_parse() when parsing packet headers in a stack of two bonding devices. A local attacker can trigger packet processing in this configuration to cause a denial of service.

The issue occurs because device recursion can remain bounded to the hierarchy top, leading to repeated parsing instead of reaching the final leaf parse method.


10) Use-after-free (CVE-ID: CVE-2026-31414)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.

The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.


11) Double free (CVE-ID: CVE-2026-31429)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a cross-cache free in skb_kfree_head() when freeing KFENCE-allocated skb head data. A local user can trigger allocation and freeing of a specially sized skb head object to cause a denial of service.

Exploitation requires KFENCE to be enabled.


12) Race condition (CVE-ID: CVE-2026-31450)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.

The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.


13) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31452)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.

The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.


14) Use-after-free (CVE-ID: CVE-2026-31453)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.


15) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31462)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the amdgpu PASID allocation logic when reusing a PASID immediately after process exit. A local user can trigger immediate PASID reuse to cause a denial of service.

Pending page faults may still remain in the IH ring buffer from the previous process when the PASID is reused.


16) Race condition (CVE-ID: CVE-2026-31466)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.

The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().


17) Use-after-free (CVE-ID: CVE-2026-31469)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the virtio_net driver transmit path when transmitting packets after the network namespace is destroyed while previously queued skbs are still pending. A local user can trigger packet transmission and network namespace teardown to cause a denial of service.

The issue occurs when the virtio_net driver is configured with napi_tx disabled and the device's IFF_XMIT_DST_RELEASE flag is cleared.


18) Improper Initialization (CVE-ID: CVE-2026-31492)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in irdma_create_qp and irdma_destroy_qp when handling a failure from ib_copy_to_udata during queue pair creation. A local user can trigger an error during queue pair creation to cause a denial of service.


19) Improper input validation (CVE-ID: CVE-2026-31495)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in ctnetlink when handling netlink attribute values. A local user can send a specially crafted netlink message to cause a denial of service.

The issue involves invalid TCP state, window scale, and flag values accepted through ctnetlink attributes.


20) Deadlock (CVE-ID: CVE-2026-31499)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in l2cap_conn_del() when canceling delayed work items. A local user can trigger Bluetooth L2CAP connection deletion while the associated timer work is executing to cause a denial of service.


21) Use-after-free (CVE-ID: CVE-2026-31500)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in btintel_hw_error() when handling a hardware error concurrently with device close operations. A local user can trigger a race condition to cause a denial of service.

The issue occurs because synchronous HCI command paths manipulate shared request state concurrently.


22) Type Confusion (CVE-ID: CVE-2026-31502)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to type confusion in team header_ops handling when processing header operations on non-Ethernet ports. A local user can trigger crafted network device interactions to cause a denial of service.

The issue can be triggered in stacked non-Ethernet topologies where inherited header callbacks are invoked with the wrong net_device context.


23) Use-after-free (CVE-ID: CVE-2026-31555)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.


24) NULL pointer dereference (CVE-ID: CVE-2026-31560)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in spi-dw-dma error logging when handling an error after a transaction finishes without a current message. A local user can trigger an error condition to cause a denial of service.


25) Improper locking (CVE-ID: CVE-2026-31592)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in sev_mem_enc_register_region() when handling KVM ioctls during SEV guest initialization failure paths. A local user can issue crafted ioctl calls to trigger a general protection fault and kernel crash.

The issue can occur if KVM_SEV_INIT{2} fails and KVM attempts to add to an uninitialized sev->regions_list.


26) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-31593)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state validation in the KVM SEV VMSA synchronization logic when synchronizing vCPU state to an already-launched and encrypted vCPU. A local user can issue a crafted ioctl sequence to cause a denial of service.

On hosts with SNP enabled, accessing guest-private memory triggers an RMP page fault that panics the host. In SEV-ES environments without SNP, the issue may clobber guest state instead of panicking the host.


27) Improper locking (CVE-ID: CVE-2026-31647)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock handling in the idpf async virtual channel handling logic when processing asynchronous virtual channel messages. A local user can trigger the vulnerable code path to cause a denial of service.

The issue is manifested as an invalid wait context in PREEMPT_RT environments.


28) Use of uninitialized resource (CVE-ID: CVE-2026-31664)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.

The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.


29) Use-after-free (CVE-ID: CVE-2026-31665)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nft_ct_timeout_obj_destroy() when destroying timeout objects during concurrent packet processing. A local user can trigger concurrent packet processing and object destruction to cause a denial of service.

The issue arises because other CPUs may still hold RCU-protected references to the timeout object.


30) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31670)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the rfkill event handling logic when userspace creates rfkill events without consuming them from the rfkill file descriptor. A local user can create an unlimited number of pending rfkill events to cause a denial of service.

The issue can lead to an out-of-memory condition on systems configured to allow userspace to create such events.


31) Out-of-bounds read (CVE-ID: CVE-2026-31674)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.


32) Resource exhaustion (CVE-ID: CVE-2026-31677)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in af_alg_get_rsgl() when processing recvmsg calls with data extraction into the RX scatterlist. A local user can send a specially crafted recvmsg request to cause a denial of service.


33) Use-after-free (CVE-ID: CVE-2026-31680)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.

The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.


34) Improper Initialization (CVE-ID: CVE-2026-31693)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in cifs replay handling when replaying requests. A local user can trigger request replay to cause a denial of service.


35) Out-of-bounds read (CVE-ID: CVE-2026-31697)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.

The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.


36) Out-of-bounds read (CVE-ID: CVE-2026-31698)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.

The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.


37) Out-of-bounds read (CVE-ID: CVE-2026-31699)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.

The issue occurs when the firmware reports an invalid length for the requested blob.


38) Out-of-bounds read (CVE-ID: CVE-2026-31752)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing malformed neighbor discovery options. A remote attacker can send a specially crafted neighbor solicitation packet to cause a denial of service.


39) Double free (CVE-ID: CVE-2026-31759)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.


40) Out-of-bounds read (CVE-ID: CVE-2026-31771)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the Bluetooth HCI event handling logic when processing a short HCI event frame. A local attacker can send a specially crafted HCI event frame to cause a denial of service.

The issue occurs because wake reason storage is reached before per-event minimum payload length validation is enforced.


41) Improper input validation (CVE-ID: CVE-2026-43010)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in bpf_kprobe_multi_link_attach() when attaching a sleepable kprobe_multi program. A local user can attach a sleepable program that invokes sleepable helpers from a non-sleepable context to cause a denial of service.

The issue is triggered because kprobe.multi programs run in atomic/RCU context and cannot sleep.


42) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43022)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper exception handling in hci_cmd_sync_queue_once() when queuing command items. A local user can trigger duplicate queueing conditions to cause a denial of service.

The issue can lead to resource leaks when an already queued item is not reported to the caller.


43) Race condition (CVE-ID: CVE-2026-43023)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition leading to use-after-free in sco_sock_connect() when handling concurrent connect() calls on the same Bluetooth SCO socket. A local user can issue concurrent connect() syscalls on the same socket to cause a denial of service.

The issue can revive a BT_CLOSED and SOCK_ZAPPED socket back to BT_CONNECT during concurrent execution.


44) Improper input validation (CVE-ID: CVE-2026-43024)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nf_tables verdict handling when processing nftables rules. A local user can create a rule with an immediate NF_QUEUE verdict to cause a denial of service.

The issue is reachable in the arp family even though queue support is not provided there.


45) Improper Null Termination (CVE-ID: CVE-2026-43028)

CWE-ID: CWE-170 - Improper Null Termination

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in x_tables when processing names supplied to functions that expect c-strings. A local user can provide a name that lacks a nul terminator to cause a denial of service.


46) Out-of-bounds read (CVE-ID: CVE-2026-43034)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in bnxt_hwrm_func_backing_store_qcaps_v2() when processing firmware responses for backing-store capability queries. A local user can trigger the vulnerable code path to cause a denial of service.


47) Improper Initialization (CVE-ID: CVE-2026-43035)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in tc_chain_fill_node() when building netlink messages. A local user can trigger the kernel to generate a netlink message to disclose sensitive information.

Kernel heap memory may be exposed to userspace through the 4-byte tcm_info field of struct tcmsg.


48) Use of uninitialized resource (CVE-ID: CVE-2026-43036)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper handling of packet header data in gso_features_check() when processing packets injected through PF_PACKET paths. A local attacker can inject a specially crafted packet to cause a denial of service.

The issue occurs because the IPv4 header access may rely on skb header offsets that are not always safe for direct dereference in this context.


49) Use-after-free (CVE-ID: CVE-2026-43049)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the logitech-hidpp force feedback initialization path when probing the Logitech G920 Driving Force Racing Wheel for Xbox One and userspace continues to access sysfs or /dev/input references after initialization failure. A local user can trigger force feedback initialization failure and use dangling references to cause a denial of service.

The issue occurs if force feedback initialization fails before the userspace infrastructure has been torn down.


50) Improper Initialization (CVE-ID: CVE-2026-43053)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the XFS extended attribute dabtree inactivation logic when processing inode inactivation and log recovery. A local user can trigger a log shutdown during attribute fork inactivation to cause a denial of service.

The issue affects inodes with node-format extended attributes and can lead to metadata verification failures on the next mount during recovery processing.


51) Use-after-free (CVE-ID: CVE-2026-43074)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ep_free() in eventpoll.c when handling concurrent eventpoll operations. A local user can trigger a race condition to cause a denial of service.


52) Improper input validation (CVE-ID: CVE-2026-43077)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.


53) Out-of-bounds write (CVE-ID: CVE-2026-43079)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in uncore_pci_pmu_register() when parsing the discovery table for offline dies. A local user can trigger the vulnerable code path to cause a denial of service.

The issue can be triggered when NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0.


54) Integer overflow (CVE-ID: CVE-2026-43080)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in l2tp_xmit_core when processing oversized PPPoL2TP packets with UDP encapsulation. A local user can send an oversized packet to trigger a kernel warning and cause a denial of service.

The issue occurs because the UDP length field is 16-bit and the oversized length value is truncated.


55) Improper input validation (CVE-ID: CVE-2026-43081)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in GENERIC_CMD register field masks in the net/ipa component when handling stop commands for the MPSS remote processor while IPA is active. A local user can trigger the affected operation to cause a denial of service.

The issue was observed as a kernel WARN when sending a stop command to the MPSS remote processor while IPA was up.


56) Out-of-bounds read (CVE-ID: CVE-2026-43083)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in __ioam6_fill_trace_data() when processing packets with trace->type.bit6 set on the RX path. A local user can trigger the kernel to access an invalid transmit queue index to cause a denial of service.

The issue occurs when the ingress device has more RX queues than the egress device has TX queues.


57) Use of uninitialized resource (CVE-ID: CVE-2026-43085)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an uninitialized memory use in nfnetlink_log NLMSG_DONE terminator handling when batching multiple NFLOG messages. A local user can trigger generation of a crafted NLMSG_DONE message to disclose sensitive information.

Four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body when the queue length is greater than one.


58) NULL pointer dereference (CVE-ID: CVE-2026-43086)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in ip_vs_add_service error handling when processing a crafted IPVS service configuration that causes ip_vs_start_estimator() to fail after a scheduler has been successfully bound. A local user can trigger the vulnerable error path to cause a denial of service.

The issue results in a kernel panic.


59) Improper Initialization (CVE-ID: CVE-2026-43089)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in build_mapping() when copying xfrm_usersa_id structures to userspace. A local user can trigger the affected code path to disclose sensitive information.

The issue is caused by a one-byte padding hole after the proto field that is not cleared before the structure is copied out.


60) Improper input validation (CVE-ID: CVE-2026-43093)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in xdp_umem_reg() when registering UMEM with insufficient headroom and tailroom. A local user can supply a crafted UMEM configuration to cause a denial of service.

The issue can leave insufficient space for a minimum-sized ethernet frame and may corrupt skb_shared_info stored at the end of an XSK frame when multi-buffer operation is involved.


61) NULL pointer dereference (CVE-ID: CVE-2026-43094)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the ixgbevf Hyper-V MAC operations table when probing the device on Hyper-V virtual machines. A local user can trigger device initialization to cause a denial of service.

The issue occurs because the negotiate_features callback is missing from the Hyper-V-specific operations table.


62) NULL pointer dereference (CVE-ID: CVE-2026-43101)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in __ioam6_fill_trace_data() when processing ipv6 ioam trace data. A local user can trigger the vulnerable code path to cause a denial of service.


63) Improper input validation (CVE-ID: CVE-2026-43107)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in xfrm_get_ae() and xfrm_aevent_msgsize() when handling malformed netlink interactions for xfrm aevent messages. A local user can send a malformed netlink interaction to cause a denial of service.

The issue is triggered for states with if_id set, where the reply skb size calculation does not account for the XFRMA_IF_ID attribute.


64) Out-of-bounds read (CVE-ID: CVE-2026-43112)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in cifs_sanitize_prepath when parsing path strings containing only delimiters or no path content. A local user can supply a crafted path string to cause a denial of service.

The issue can be triggered by an empty string or a string such as "/".


65) Race condition (CVE-ID: CVE-2026-43119)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a data race in hdev->req_status handling in the Bluetooth hci_sync subsystem when processing concurrent command synchronization operations across workqueues and event completion paths. A local user can trigger concurrent operations to cause a denial of service.

The issue arises because accesses occur from different workqueues and completion or abort paths that can run concurrently on different CPUs.


66) Double free (CVE-ID: CVE-2026-43128)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in RDMA umem dma-buf pinning logic when handling a failure in ib_umem_dmabuf_get_pinned_with_dma_device(). A local user can trigger a failure in dma-buf page mapping to cause a denial of service.

The issue occurs because the dma-buf may be unpinned on the failure path while the pinned flag remains set, leading to a second unpin during the release and revoke path.


67) Use of Uninitialized Variable (CVE-ID: CVE-2026-43139)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use of uninitialized memory in xfrm6_get_saddr() when handling IPv6 source address selection failures. A local user can trigger network operations that cause ipv6_dev_get_saddr() to fail and use the uninitialized address to cause a denial of service.


68) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.

The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.


69) Integer underflow (CVE-ID: CVE-2026-43171)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or trigger a kernel oops.

The vulnerability exists due to an integer underflow in cper_print_fw_err() when processing a malformed firmware error record with an offset beyond the actual record length. A local user can provide a crafted error record to disclose sensitive information, cause a denial of service, or trigger a kernel oops.

The issue occurs on systems with bad or malformed firmware error records.


70) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43187)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause data loss.

The vulnerability exists due to improper state management in the XFS extended attribute leaf freemap handling code when processing setxattr operations. A local user can set extended attributes in a way that causes xattr namevalue entries to be allocated on top of the entries array to cause data loss.

The issue involves zero-length freemap entries with a nonzero base and can lead to overlapping freemap entries with the same base but different sizes.


71) Race condition (CVE-ID: CVE-2026-43198)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.

The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.


72) Out-of-bounds read (CVE-ID: CVE-2026-43233)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in decode_choice() in nf_conntrack_h323 when processing a crafted Q.931 SETUP message containing a User-User Information Element with PER-encoded data. A remote attacker can send a specially crafted network message to disclose sensitive information.

Exploitation requires the nf_conntrack_h323 helper to be active and can be triggered via port 1720.


73) Division by zero (CVE-ID: CVE-2026-43238)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a divide-by-zero error in tcf_skbedit_hash() when processing skbedit hash-based tx queue selection with a queue mapping range covering all possible u16 queue IDs. A local user can configure a crafted queue mapping range to cause a denial of service.


74) Race condition (CVE-ID: CVE-2026-43239)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in smb client query_interfaces() when concurrently updating interfaces. A local user can trigger concurrent interface query work to cause a denial of service.


75) Resource management error (CVE-ID: CVE-2026-43284)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber


The vulnerability allows a local user to escalate privileges on the system.

The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges. 

Note, this is one of two vulnerabilities reported as Dirty Frag.


76) Use-after-free (CVE-ID: CVE-2026-43303)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the swap subsystem when handling stale page->private values on reallocated and split pages. A local user can trigger swapoff operations after causing affected page state reuse to cause a denial of service.

The issue occurs because tail pages can retain stale page->private values after split_page(), leading swap_count_continued() to follow an invalid continuation list and access poisoned list entries.


77) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-43336)

CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to missing zeroization of sensitive data in the ChaCha implementation in lib/crypto/chacha when processing cryptographic state on the stack. A local user can read residual stack memory to disclose sensitive information.

The permuted state is sufficient to reconstruct the original state, including the key.


78) Use-after-free (CVE-ID: CVE-2026-43339)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in addrconf_permanent_addr() when handling an exceptional condition in IPv6 address configuration. A local user can trigger the warning path to cause a denial of service.


79) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43345)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper register field definition in the IPA GSI event ring configuration logic when initializing event rings on IPA v5.0+ hardware. A local user can trigger channel operations that wait for transfer completion to cause a denial of service.

The issue can cause runtime suspend, system suspend, and remoteproc stop operations to hang indefinitely, and the IPA data path may become non-functional.


80) Signed to Unsigned Conversion Error (CVE-ID: CVE-2026-43405)

CWE-ID: CWE-195 - Signed to Unsigned Conversion Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of signedness conversion in ceph_monmap_decode() when parsing an incoming monitor map message. A remote attacker can send a specially crafted message with a very large num_mon value to cause a denial of service.

The issue can trigger an attempt to allocate an excessively large chunk of memory and results in -ENOMEM being returned instead of rejecting the input as invalid.


81) Race condition (CVE-ID: CVE-2026-43420)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in ceph_unlink() when processing asynchronous unlink operations. A local user can trigger concurrent unlink completion handling to cause a denial of service.

Only the asynchronous unlink code path is affected.


82) Type Confusion (CVE-ID: CVE-2026-43456)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to type confusion in bond_setup_by_slave() when handling header operations for a bonded non-Ethernet slave device. A local user can enslave a non-Ethernet device such as a GRE tunnel to a bond and trigger packet transmission to cause a denial of service.

The issue is triggered because header callbacks from the slave device are invoked with the bond device context, causing device-specific private data to be interpreted as the wrong type.


83) Improper locking (CVE-ID: CVE-2026-43469)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the xprtrdma receive handling logic when exiting early from receive work request posting. A local user can trigger memory pressure conditions to cause a denial of service.

The issue can cause the system to hang because the re_receiving counter is not decremented on certain early exit paths, preventing completion during transport drain.


84) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43472)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in unshare_fs() when handling unshare(2) requests with CLONE_NEWNS together with additional namespace flags that can fail after mount namespace creation. A local user can invoke unshare(2) in this state to cause a denial of service.

The issue can leave the calling process with pwd and root pointing to detached isolated mounts after unshare(2) fails, such as after an -ENOMEM error during cgroup namespace setup.


85) Improper input validation (CVE-ID: CVE-2026-43491)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the qrtr namespace service when handling NEW_SERVER messages. A remote attacker can send a flood of NEW_SERVER messages to cause a denial of service.

Exploitation can exhaust memory by registering excessive servers for a node.


86) Integer underflow (CVE-ID: CVE-2026-43492)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer underflow in mpi_read_raw_from_sgl() when processing a crafted scatterlist during a KEYCTL_PKEY_ENCRYPT system call. A local user can supply an input buffer of zeroes with a larger out_len than in_len to cause a denial of service.

The issue can cause the kernel to spin forever, resulting in soft lockup splats.


87) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43502)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in rds_message_purge() in the net/rds subsystem when cleaning up a failed zerocopy send before the message is queued. A local user can trigger an early zerocopy send failure to cause a denial of service.

The issue occurs after user pages have been pinned but before the message is attached to the sending socket.


88) Out-of-bounds read (CVE-ID: CVE-2026-45838)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in cgroup_storage_get_next_key() when processing end-of-list conditions for cgroup storage map keys. A local user can trigger the function on the last list element to disclose sensitive information.

The issue occurs because the code reads a key from a bogus pointer that aliases internal map fields and copies the result to userspace.


89) Improper input validation (CVE-ID: CVE-2026-45840)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.

On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.


90) Division by zero (CVE-ID: CVE-2026-45841)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to divide-by-zero in nf_osf_match_one() in nfnetlink_osf when processing a subsequent matching TCP SYN after a crafted fingerprint is added via nfnetlink. A local user can add a fingerprint with a zero wss value to trigger a kernel panic.

Exploitation requires CAP_NET_ADMIN privileges.


91) NULL pointer dereference (CVE-ID: CVE-2026-45848)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in aa_sock_file_perm when handling socket setup or teardown. A local user can trigger the vulnerable code path to cause a denial of service.

The issue is reachable for older af_unix mediation and other socket types.


92) Improper Initialization (CVE-ID: CVE-2026-45862)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in the PASID table handling in the Intel VT-d IOMMU subsystem when using a freshly allocated PASID table before its cache flush completes. A local user can trigger use of the PASID table with stale memory contents to cause a denial of service.

The issue affects systems with non-coherent IOMMU hardware.


93) Improper resource shutdown or release (CVE-ID: CVE-2026-45870)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in the SUNRPC auth_gss XDR decoding functions when decoding GSSX context, status, or name data. A local user can trigger a decoding failure after memory has been allocated to cause a denial of service.

The issue occurs on error paths where previously allocated buffers remain unreferenced if a subsequent decode step fails.


94) Double free (CVE-ID: CVE-2026-45891)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in hns3_set_ringparam() and the ring cleanup path when handling ring reconfiguration after a memory allocation failure. A local user can trigger ring parameter changes that lead to a failed ring initialization to cause a denial of service.

The issue is caused by a stale dangling pointer in the tx_spare field that is mistaken for a newly allocated buffer during error cleanup.


95) Race condition (CVE-ID: CVE-2026-45894)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the Intel VT-d scalable mode PASID table entry handling when tearing down an active PASID entry. A local user can trigger concurrent PASID entry teardown to cause a denial of service.

The issue can lead to unpredictable behavior or spurious faults if the IOMMU hardware observes a torn read of the entry.


96) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45912)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in ext4 extent status tree handling when splitting an unwritten extent during direct I/O writes. A local user can trigger extent splitting and subsequent delayed buffer writes to cause a denial of service.

The issue can leave a stale hole extent in the extent status tree, leading to errors in space accounting.


97) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45940)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of descriptor length calculation in stmmac_napi_poll_rx when processing packets with split header enabled on GMAC4 hardware. A remote attacker can send network traffic that triggers incorrect payload length handling to cause a denial of service.

The issue occurs in rare cases when the hardware does not fill buf2 of the first descriptor with payload.


98) Memory leak (CVE-ID: CVE-2026-45948)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in ext4_ext_shift_extents() when shifting extents. A local user can trigger the vulnerable code path to cause a denial of service.


99) Improper resource shutdown or release (CVE-ID: CVE-2026-45961)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in gfs2_fill_super() and gfs2_make_fs_rw() when transitioning a filesystem to read-write mode and handling error paths. A local user can trigger failures during this process to cause a denial of service.

The issue involves memory leaks of created kernel threads and an allocated quota bitmap buffer during specific failure conditions.


100) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45964)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a reference count leak in gss_alloc_msg() in the SUNRPC gss_auth handling code when processing a non-NULL service name and memory allocation fails in kstrdup_const(). A local user can trigger the error path to cause a denial of service.

The issue occurs because the gss_auth reference is not released on the err_put_pipe_version error path, which can prevent the structure from being freed.


101) NULL pointer dereference (CVE-ID: CVE-2026-45965)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in rawdata_get_link_base in apparmorfs when resolving symbolic links to rawdata for a replaced profile after the export_binary parameter has been disabled at runtime. A local user can read a crafted rawdata symbolic link to cause a denial of service.

The issue occurs for profiles loaded before export_binary was disabled and then replaced, leaving the rawdata pointer NULL while the symbolic link remains accessible.


102) Out-of-bounds read (CVE-ID: CVE-2026-45974)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in btrfs_quota_enable() when processing crafted btrfs filesystem metadata. A local user can trigger quota enablement on a malformed filesystem image to cause a denial of service.


103) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45985)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper extent state handling in ext4_split_convert_extents() when allocating blocks during within-EOF direct I/O and writeback with dioread_nolock enabled. A local user can trigger a failed direct I/O write that splits an unwritten extent to disclose sensitive information.

The issue can occur when a temporary ENOSPC condition happens during extent splitting, causing inconsistency between the on-disk extent state and the extent status tree.


104) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46005)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a resource leak in xfs_alloc_buftarg() when handling an error path. A local user can trigger the vulnerable error condition to cause a denial of service.


105) Race condition (CVE-ID: CVE-2026-46028)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.

The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.


106) Out-of-bounds read (CVE-ID: CVE-2026-46037)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the ipv4 icmp reply handling logic when processing extended echo replies. A remote attacker can send a specially crafted icmp packet to cause a denial of service.


107) Double free (CVE-ID: CVE-2026-46053)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in __rds_rdma_map() when copying the generated cookie back to user space. A local user can trigger a copy error after memory region registration succeeds to cause a denial of service.


108) Deadlock (CVE-ID: CVE-2026-46063)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in shadow stack signal frame handling during sigreturn when reading the shadow stack signal frame from userspace. A local user can trigger a page fault during sigreturn to cause a denial of service.

The issue can occur when a writer on another CPU is waiting on the mmap lock, leading to a deadlock in the fault handling path.


109) Use-after-free (CVE-ID: CVE-2026-46065)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in fbdev deferred I/O handling when accessing a memory mapping after device hot-unplug. A local user can keep an active mapping of graphics memory and access it after hot-unplug to cause a denial of service.

Access to the invalidated mapping may result in a SIGBUS signal.


110) Use-after-free (CVE-ID: CVE-2026-46069)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in mwifiex_adapter_cleanup() when cleaning up the adapter while the wakeup timer callback is still executing. A local user can trigger device removal during this race condition to cause a denial of service.


111) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46071)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in nested_svm_vmexit() and vmcb12 handling when copying last branch records. A local user can trigger a nested SVM VM exit to cause a denial of service.

The issue affects nested virtualization on AMD SVM.


112) Improper access control (CVE-ID: CVE-2026-46076)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass hypercall interception controls.

The vulnerability exists due to improper access control in KVM nested SVM handling when processing VMMCALL from an L2 guest. A remote user can invoke an unhandled VMMCALL to bypass hypercall interception controls.

Exploitation requires an active nested virtualization scenario where L2 is running, L1 does not intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is not one of the supported Hyper-V hypercalls.


113) Improper input validation (CVE-ID: CVE-2026-46101)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nft_bitwise when initializing left and right shift expressions with a zero shift operand. A local user can create a malformed rule to cause a denial of service.

The issue is triggered in the control plane before malformed rules reach the packet path.


114) Improper locking (CVE-ID: CVE-2026-46112)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to corrupt memory.

The vulnerability exists due to improper locking in hns_roce_create_qp_common() and hns_roce_qp_remove() when handling error unwind during queue pair creation. A local user can trigger the error path to corrupt memory.


115) Use-after-free (CVE-ID: CVE-2026-46116)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in __xfrm_state_delete when deleting xfrm_state list entries during xfrm_state lifecycle handling. A local user can trigger repeated deletion of the same xfrm_state object to cause a denial of service.

The issue was reproduced under syzkaller load during network namespace cleanup in the xfrm subsystem.


116) Out-of-bounds read (CVE-ID: CVE-2026-46119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.

The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.


117) Use-after-free (CVE-ID: CVE-2026-46120)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ip6erspan_changelink() when changing link configuration after network namespace migration. A local user can trigger tunnel reinsertion into the wrong per-netns hash to cause a denial of service.

The issue is reachable from an unprivileged user namespace.


118) Out-of-bounds read (CVE-ID: CVE-2026-46123)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in virtbt_rx_work() and virtbt_rx_handle() when processing device-reported receive lengths from the virtio Bluetooth backend. A local attacker can provide a crafted length value to cause the kernel to read uninitialized memory and disclose sensitive information.

The issue can be triggered when the backend reports a receive length larger than the 1000-byte buffer exposed to the device, or when it reports an empty completion with a zero length.


119) Improper input validation (CVE-ID: CVE-2026-46124)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in isofs_export_iget when processing block numbers from NFS file handles. A remote user can send a crafted NFS file handle to disclose sensitive information.

Exploitation requires an authenticated NFS peer and affects isofs exported over NFS from loop-mounted images.


120) Out-of-bounds read (CVE-ID: CVE-2026-46133)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in rxe_icrc_hdr() and opcode handling in the Soft RoCE receive path when processing a specially crafted UDP packet with an unknown RDMA opcode. A remote attacker can send a specially crafted UDP packet to trigger an out-of-bounds read and cause a denial of service.

The issue can be triggered without authentication after the RDMA RXE interface is enabled, and no queue pair or connection setup is required.


121) Improper access control (CVE-ID: CVE-2026-46150)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass permission checks.

The vulnerability exists due to improper access control in fsnotify_get_mark_safe() when processing fanotify permission events. A local user can trigger permission events in the presence of an unrelated detached mark to bypass permission checks.


122) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46160)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause filesystem corruption and a denial of service.

The vulnerability exists due to improper state update in the btrfs directory unlink handling when removing a directory and later fsyncing it through an open file descriptor. A local user can remove a directory, retain a file descriptor to it, and trigger fsync to cause filesystem corruption and a denial of service.

The issue can cause log replay to fail with an -EIO error when the filesystem is mounted.


123) Double free (CVE-ID: CVE-2026-46162)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in ice_sf_eth_activate() when handling an auxiliary_device_add() failure. A local user can trigger the error path to cause a denial of service.


124) Memory leak (CVE-ID: CVE-2026-46172)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a memory leak in xfrm6_rcv_encap() when processing IPv6 packets that trigger an error route lookup. A remote attacker can send specially crafted packets to cause a denial of service.

Repeated packets hitting this path leak dst entries.


125) Use-after-free (CVE-ID: CVE-2026-46173)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to use-after-free in make_task_dead()/do_task_dead() task exit handling when an already-exiting task oopses during task exit. A local user can trigger an oops in a file_operations::release handler to cause memory corruption.

This can result in two tasks running on the same stack.


126) Out-of-bounds read (CVE-ID: CVE-2026-46185)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in symlink_data() when processing an SMB2 symlink error response. A remote attacker can send a specially crafted SMB2 response to disclose sensitive information.

The issue can occur when the response buffer is shorter than the expected SMB2 error response structure.


127) Out-of-bounds read (CVE-ID: CVE-2026-46197)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the SVM ioctl handler when processing a user-controlled attribute count. A local user can supply a crafted ioctl request to cause a denial of service.


128) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46214)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper state management in virtio_transport_recv_listen() when handling connection attempts with a transport mismatch. A remote attacker can trigger repeated transport mismatch failures to cause a denial of service.

After enough such failures, the listener rejects all new connections because the accept queue backlog count remains permanently incremented.


129) Use-after-free (CVE-ID: CVE-2026-46227)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.

The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.


130) Improper Initialization (CVE-ID: CVE-2026-46229)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in the KFD VRAM allocation path when allocating VRAM buffers for compute kernels. A local user can allocate VRAM buffers and observe stale data from prior use to disclose sensitive information.

Stale page table remnants may be exposed in user buffers.


131) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


132) Heap-based buffer overflow (CVE-ID: CVE-2026-46253)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow and an out-of-bounds read in persistent_ram_save_old() and ramoops_pstore_read() when processing persistent crash records after repeated calls for the same persistent_ram_zone. A local user can trigger a survivable crash sequence with a larger subsequent record to cause a denial of service.

Exploitation requires a prior crash record that did not fill the record size, pstore_update_ms to be enabled, and a non-fatal oops so the system continues running.


133) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46254)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of unaligned memory access in AppArmor dfa table unpacking in security/apparmor/match.c when parsing a crafted AppArmor dfa blob. A local user can supply a specially crafted policy blob to trigger unaligned memory access and cause a denial of service.

The issue can be triggered by dfa tables originating from userspace, and it affects architectures that fault on unaligned memory accesses.


134) Use-after-free (CVE-ID: CVE-2026-46259)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.


135) Improper input validation (CVE-ID: CVE-2026-46266)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to alter forwarding and path MTU exception handling state.

The vulnerability exists due to improper input validation in RAW socket handling in the IPv4 and IPv6 ICMP error delivery paths when processing malicious incoming ICMP packets with an embedded packet header using protocol 255. A remote attacker can send a specially crafted ICMP packet to alter forwarding and path MTU exception handling state.

Exploitation requires the presence of a RAW socket created with IPPROTO_RAW.


136) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46273)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of segmentation offload constraints in ibmveth when processing gso packets with a small mss. A local user can send specially crafted packets to cause a denial of service.

The issue is triggered when the hardware performs segmentation with more than one segment and an MSS smaller than 224 bytes; single-segment GSO packets do not trigger the affected code path.


137) Use-after-free (CVE-ID: CVE-2026-46274)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a use-after-free in io_wq_remove_pending() and hash_tail handling in io_uring when cancelling hashed bucket-0 work with a non-hashed predecessor in the work list. A local user can trigger cancellation and subsequent hashed work insertion to execute arbitrary code.

The dangling pointer can persist for the lifetime of the task because the io_wq is per-task and survives ring open and close operations.


138) Out-of-bounds write (CVE-ID: CVE-2026-46289)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in extract_kvec_to_sg in lib/scatterlist.c when extracting a kvec into a scatterlist. A local user can trigger the function with crafted kvec data to cause a denial of service.


139) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-46291)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in hash_digest_key in the caam hash implementation when debug hex dumps are generated with CONFIG_DYNAMIC_DEBUG enabled. A local user can read exposed HMAC key bytes from debug output to disclose sensitive information.

The issue affects HMAC key material handled by the CAAM crypto driver.


140) Use of uninitialized resource (CVE-ID: CVE-2026-46315)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized memory usage in io_uring IORING_OP_WAITID result handling when copying waitid result data to userspace. A local user can trigger a wait operation that completes without reporting a child event to disclose sensitive information.

The issue occurs because stale bytes from reused io_kiocb command storage may be copied to userspace siginfo when no child event information is written.


141) Use-after-free (CVE-ID: CVE-2026-46319)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free race condition in tcf_ct_flow_table_get() in net/sched/act_ct.c when looking up a flow table and incrementing its reference count. A local user can trigger the race during act_ct initialization to escalate privileges.

The race window is very short and occurs after the flow table object is returned from the hash table lookup but before its reference count is successfully incremented.


142) Improper resource shutdown or release (CVE-ID: CVE-2026-46320)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in tap_get_user_xdp() when processing XDP frames. A local user can send a crafted short frame or trigger skb allocation failure to cause a denial of service.

Each rejected frame in a batch leaks one page-frag chunk.


143) Incorrect calculation (CVE-ID: CVE-2026-46328)

CWE-ID: CWE-682 - Incorrect Calculation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of rlimit updates in AppArmor resource limit enforcement when transitioning rlimits for posix cpu timers. A local user can trigger an incorrect cpu time limit update to cause a denial of service.

The issue affects systems with posix timers enabled.


144) Out-of-bounds write (CVE-ID: CVE-2026-46331)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.

The issue can involve negative offsets such as Ethernet header edits at ingress.


145) Improper access control (CVE-ID: CVE-2026-52908)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain write access to memory regions that were not properly pinned as writable.

The vulnerability exists due to improper access control in RDMA memory region re-registration handling when changing IB_MR_REREG_ACCESS from read-only to read-write. A local user can re-register a memory region with writable access to gain write access to memory regions that were not properly pinned as writable.

The issue occurs when a driver reuses an existing umem during memory region re-registration.


146) Improper access control (CVE-ID: CVE-2026-52909)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to move a fallback tunnel device to another network namespace.

The vulnerability exists due to improper access control in the ip6_vti fallback tunnel device initialization when initializing the per-network-namespace fallback device. A local user can move the ip6_vti0 device to another network namespace to move a fallback tunnel device to another network namespace.

The issue affects the per-netns fallback tunnel device ip6_vti0.


147) Race condition (CVE-ID: CVE-2026-52918)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in bt_sock_poll() and the Bluetooth accept queue when polling Bluetooth sockets. A local user can trigger concurrent socket teardown and accept queue access to cause a denial of service.

The issue occurs because the accept queue is walked without synchronization while child teardown can unlink a socket and drop its last reference.


148) Use-after-free (CVE-ID: CVE-2026-52923)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ipc_idr_alloc() in the checkpoint/restore SysV IPC allocation path when processing a request for the next SysV IPC id. A local user can request allocation beyond the valid IPC id range to cause a denial of service.

A subsequent walk of /proc/sysvipc/shm can dereference freed memory through a stale IDR entry.


149) Use-after-free (CVE-ID: CVE-2026-52943)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free in pskb_carve_inside_header() and pskb_carve_inside_nonlinear() when copying skb_shared_info for MSG_ZEROCOPY skbs. A local user can trigger repeated zerocopy skb operations to escalate privileges.

The issue is caused by copying the destructor_arg pointer into a new skb_shared_info without incrementing the associated zerocopy reference count, which can prematurely free ubuf_info_msgzc while transmit skbs still hold live references.


150) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-52954)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of duplicate rbtree keys in decode_choose_args() when processing a crafted CEPH_MSG_OSD_MAP message containing duplicate choose_args_index values. A remote attacker can send a specially crafted message to cause a denial of service.


151) NULL pointer dereference (CVE-ID: CVE-2026-52957)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in decode_choose_args() when processing a crafted CEPH_MSG_OSD_MAP message containing a crush_choose_arg_map with a bucket index that refers to a NULL bucket. A remote attacker can send a specially crafted message to cause a denial of service.


152) Memory leak (CVE-ID: CVE-2026-52962)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in __ceph_setxattr() when retrying extended attribute updates. A local user can trigger repeated setxattr operations to cause a denial of service.


153) Out-of-bounds write (CVE-ID: CVE-2026-52969)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in kvm_reset_dirty_gfn() and the KVM dirty ring handling logic when processing rewritten dirty ring entries from a vcpu file descriptor. A local user can modify slot and offset fields in crafted dirty ring entries to cause memory corruption.

The issue is reachable from a process holding /dev/kvm and affects the legacy MMU path with shadow paging, allocated shadow roots, or a write-tracked slot.


154) Integer overflow (CVE-ID: CVE-2026-52972)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in the af_alg control message handler when processing a crafted associated data length value for AEAD operations. A local user can send a specially crafted message to cause a denial of service.


155) Out-of-bounds write (CVE-ID: CVE-2026-53016)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in ccp_aes_complete() when processing AF_ALG rfc3686-ctr-aes-ccp requests. A local user can supply a request with an 8-byte IV to cause a denial of service.


156) Out-of-bounds read (CVE-ID: CVE-2026-53040)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the ocfs2 freefrag scan logic in fs/ocfs2/ioctl.c when processing a crafted filesystem through OCFS2_IOC_INFO with OCFS2_INFO_FL_NON_COHERENT. A local user can supply a crafted filesystem and issue the ioctl request to cause a denial of service.

The issue occurs in the non-coherent scan path, which reads raw group descriptor blocks without the validation performed by the coherent path.


157) Improper input validation (CVE-ID: CVE-2026-53041)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ocfs2 xattr list handling logic when processing listxattr requests for inodes with both inline and block-based extended attributes. A local user can invoke listxattr on a crafted OCFS2 inode state to cause a denial of service.

The issue occurs when inline extended attribute names exactly consume the caller buffer and additional block-based extended attribute names are present.


158) Memory corruption (CVE-ID: CVE-2026-53052)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to incorrect memory access in the qdsp6 topology widget unload handler when processing a virtual widget without checking its type before accessing private data. A local user can trigger the vulnerable code path to cause a denial of service.


159) Improper access control (CVE-ID: CVE-2026-53053)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access of device identifier data in clone_alias() in the AMD IOMMU subsystem when processing PCI DMA aliases. A local user can trigger alias cloning for a device to cause a denial of service.

Incorrect source device identifiers can cause wrong or stale device table entries to be propagated to an alias device.


160) Race condition (CVE-ID: CVE-2026-53071)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt kernel memory.

The vulnerability exists due to a race condition in l2cap_ecred_reconf_rsp in the L2CAP subsystem when processing a crafted L2CAP ECRED reconfiguration response from a remote BLE device. A remote attacker can send a specially crafted L2CAP ECRED reconfiguration response to corrupt kernel memory.

Exploitation requires concurrent channel list iteration by another thread.


161) Use-after-free (CVE-ID: CVE-2026-53072)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in hci_conn_request_evt() when handling deferred Bluetooth connection requests. A local user can trigger concurrent connection handling to cause a denial of service.

Only SCO deferred setup listen code paths are affected.


162) Deadlock (CVE-ID: CVE-2026-53122)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a deadlock condition in the btrfs reflink operation when processing reflink operations with the flushoncommit mount option enabled. A local user can trigger a reflink of an inline extent to an offset beyond the destination inode size to cause a denial of service.

Exploitation requires the flushoncommit mount option and a reflink operation that copies an inline extent beyond the current i_size of the destination inode.


163) Integer overflow (CVE-ID: CVE-2026-53133)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in __rdma_block_iter_next() in the RDMA umem block iterator when reassembling split scatter-gather entries during IOMMU-backed mapping linearization. A local user can trigger processing of a very large mapped block to cause a denial of service.

The issue occurs for block sizes greater than or equal to 4G when a single large block is split across multiple scatter-gather entries.


164) Out-of-bounds read (CVE-ID: CVE-2026-53138)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows an attacker with physical access to cause a denial of service or disclose sensitive information.

The vulnerability exists due to an out-of-bounds read and unbounded iteration in amd display bios_parser.c and bios_parser2.c record-chain walk loops when parsing a malformed VBIOS image during probe time. An attacker with physical access can provide a crafted VBIOS image missing the terminator record to cause a denial of service or disclose sensitive information.

The issue is triggered when the VBIOS record chain lacks the 0xFF terminator record or uses a zero-sized termination condition incorrectly.


165) Improper input validation (CVE-ID: CVE-2026-53182)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nl80211_parse_rnr_elems() when parsing nested NL80211_ATTR_EMA_RNR_ELEMS input. A local user can send a specially crafted nl80211 message to cause a denial of service.

The issue is related to the element count being stored in a u8-backed cfg80211_rnr_elems::cnt field and incremented past its supported limit.


166) Out-of-bounds read (CVE-ID: CVE-2026-53253)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in bnep_rx_frame() and bnep_rx_control() in the BNEP packet parser when processing short BNEP frames. A remote attacker can send a specially crafted short BNEP SDU to cause a denial of service.

The issue is triggered by malformed control packets with missing fixed fields or an empty control payload.


167) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53266)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory handling in the ebtables SNAT target ARP sender hardware address rewrite in net/bridge/netfilter/ebt_snat.c when processing ARP packets in bridge netfilter hooks. A local user can trigger ARP sender hardware address rewriting on a crafted nonlinear skb to cause a denial of service.

Exploitation requires the ARP sender hardware address rewrite path to be reached with a nonlinear skb fragment backed by a splice-imported file page.


168) Use-after-free (CVE-ID: CVE-2026-53281)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a NULL pointer dereference and use-after-free in the Intel VT-d IOMMU PASID teardown logic when detaching a domain that was not attached to the IOMMU or when a PASID entry is not found. A local user can trigger teardown operations on an invalid or missing PASID association to cause a denial of service or execute arbitrary code.

The issue can also corrupt reference counts, which may prematurely drop a shared domain reference to zero for remaining active devices.


169) Insufficient Logging (CVE-ID: CVE-2026-53287)

CWE-ID: CWE-778 - Insufficient Logging

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to conceal capability changes in audit records.

The vulnerability exists due to incorrect data recording in __audit_log_capset() in the audit subsystem when logging CAPSET operations. A local user can modify inheritable capabilities to conceal capability changes in audit records.

This can mask preparation for a privilege-escalating exec in audit data used for compliance and forensic analysis.


170) Use-after-free (CVE-ID: CVE-2026-53359)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the KVM x86 shadow paging logic when changing a PDE mapping from outside the guest and deleting a memslot. A local user can trigger stale rmap entries and subsequent dereference of a freed sptep to cause a denial of service.

The issue occurs when a modified PDE points to a non-leaf page, causing a role mismatch between reused shadow pages for large 2MB mappings and new 4KB mappings.


171) Out-of-bounds write (CVE-ID: CVE-2026-53362)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to corrupt kernel memory.

The vulnerability exists due to an out-of-bounds write in __ip6_append_data() when processing UDPv6 socket data with MSG_MORE and MSG_SPLICE_PAGES on the paged allocation path. A local user can send crafted data through a UDPv6 socket to corrupt kernel memory.

The issue occurs when fraggap is non-zero and the paged-allocation branch is taken, causing writes past skb->end into trailing skb_shared_info.


Remediation

Install update from vendor's website.