Search for packages
| purl | pkg:deb/debian/linux@6.1.162-1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-142k-7wgv-pfh6 | In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present. |
CVE-2026-23367
|
| VCID-14ey-bdy6-5qe9 | In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read. Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code. |
CVE-2026-31449
|
| VCID-16bv-9gad-pkat | kernel: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work |
CVE-2025-39863
|
| VCID-16es-2z99-a3hu |
CVE-2026-31405
|
|
| VCID-179u-b611-z7hc | In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write as observed in the KASAN splat. ================================================================== BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb] Write of size 760 at addr ffff80008080b000 by task ethtool/1027 CPU: [...] Tainted: [E]=UNSIGNED_MODULE Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333 flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff) raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Fix it by making sure the copied size only considers the active number of queues. |
CVE-2026-31494
|
| VCID-17tu-a4wu-b3hv | kernel: blktrace: fix __this_cpu_read/write in preemptible context |
CVE-2026-23374
|
| VCID-188w-9sxd-5khx | In the Linux kernel, the following vulnerability has been resolved: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the value could change in runtime, we should use num_tx_queues instead. Moreover iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues, which triggers out-of-bounds writes when we do "ethtool -L" and "ethtool -S" simultaneously [1]. For example when we change channels from 1 to 8, Thread 3 could be scheduled before Thread 2, and out-of-bounds writes could be triggered in Thread 3: Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S) iavf_set_channels() ... iavf_alloc_queues() -> num_active_queues = 8 iavf_schedule_finish_config() iavf_get_sset_count() real_num_tx_queues: 1 -> buffer for 1 queue iavf_get_ethtool_stats() num_active_queues: 8 -> out-of-bounds! iavf_finish_config() -> real_num_tx_queues = 8 Use immutable num_tx_queues in all related functions to avoid the issue. [1] BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800 CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x180 iavf_add_one_ethtool_stat+0x200/0x270 iavf_get_ethtool_stats+0x14c/0x2e0 __dev_ethtool+0x3d0c/0x5830 dev_ethtool+0x12d/0x270 dev_ioctl+0x53c/0xe30 sock_do_ioctl+0x1a9/0x270 sock_ioctl+0x3d4/0x5e0 __x64_sys_ioctl+0x137/0x1c0 do_syscall_64+0xf3/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7da0e6e36d ... </TASK> The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813a013de0 pfn:0x13a013 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 |
CVE-2026-31505
|
| VCID-1ajk-6gxr-efgp | kernel: gfs2: No more self recovery |
CVE-2025-38659
|
| VCID-1cac-quc3-2bcf | kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() |
CVE-2025-40139
|
| VCID-1dxt-yy4z-y7cs | kernel: can: ucan: Fix infinite loop from zero-length messages |
CVE-2026-23298
|
| VCID-1fca-q7wb-u3cx | kernel: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT |
CVE-2025-21825
|
| VCID-1g53-791b-8fd7 | kernel: drm/amd/display: Validate function returns |
CVE-2024-46775
|
| VCID-1g77-qwuy-nkg8 |
CVE-2026-31416
|
|
| VCID-1hvg-tmga-nfhm | kernel: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() |
CVE-2024-53068
|
| VCID-1kgs-19ue-wbe1 | In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter] |
CVE-2026-31394
|
| VCID-1m9j-m8xz-zqav | kernel: smc: Fix use-after-free in tcp_write_timer_handler() |
CVE-2023-53781
|
| VCID-1n5v-auw6-wbcd |
CVE-2026-23420
|
|
| VCID-1n7k-a7ve-8qcr | kernel: smb: client: fix use-after-free of signing key |
CVE-2024-53179
|
| VCID-1rd4-nsvv-6bfy | kernel: btrfs: don't check PageError in __extent_writepage |
CVE-2023-53429
|
| VCID-1s26-havx-dkey | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path. |
CVE-2026-31512
|
| VCID-1s77-djzb-xffp |
CVE-2026-31417
|
|
| VCID-1x2r-t2gj-akgf | kernel: netfilter: nft_objref: validate objref and objrefmap expressions |
CVE-2025-40206
|
| VCID-1yba-pq6x-qkh3 | kernel: iio: common: st_sensors: Fix use of uninitialize device structs |
CVE-2025-38531
|
| VCID-1ygk-whua-gbcq | kernel: ALSA: usb-audio: Use correct version for UAC3 header validation |
CVE-2026-23318
|
| VCID-1zbm-pnj5-xqb4 | kernel: mptcp: pm: in-kernel: always mark signal+subflow endp as used |
CVE-2026-23321
|
| VCID-1zkc-5ucw-e3et | kernel: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value |
CVE-2024-50009
|
| VCID-214g-9hfm-wqbk | kernel: Linux kernel: Denial of Service due to memory leak in mlx5e driver |
CVE-2023-53999
|
| VCID-2198-cz4u-87hu | kernel: ksmbd: Compare MACs in constant time |
CVE-2026-23364
|
| VCID-21fx-6crx-ske2 | kernel: drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer |
CVE-2024-49918
|
| VCID-21jy-g45u-c7gp | kernel: sched/deadline: Fix warning in migrate_enable for boosted tasks |
CVE-2024-56583
|
| VCID-21z5-p9ct-p7g2 | kernel: wifi: iwlwifi: fix debug actions order |
CVE-2025-38045
|
| VCID-2369-8134-y3ck | kernel: hisi_acc_vfio_pci: bugfix live migration function without VF device driver |
CVE-2025-38283
|
| VCID-24dm-m1bk-t7fv | In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb(). |
CVE-2026-23463
|
| VCID-24gw-73zd-3khc | kernel: ipv6: mcast: extend RCU protection in igmp6_send() |
CVE-2025-21759
|
| VCID-25ja-vd4z-3ffc | kernel: wifi: ath10k: shutdown driver when hardware is unreliable |
CVE-2025-39746
|
| VCID-25nt-fa4m-97fm | kernel: binfmt_misc: restore write access before closing files opened by open_exec() |
CVE-2025-68239
|
| VCID-2bay-kzph-yya3 | kernel: RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES |
CVE-2024-53094
|
| VCID-2bbj-94mj-rfa7 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false when recomputing the DSC configuration results in no timing change for a particular stream. However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelated) mode change. For example, the integrated panel of a laptop may be configured differently (e.g., HDR enabled/disabled) depending on whether external screens are attached. In this case, plugging in external DP-MST screens may result in the mode_changed flag being dropped incorrectly for the integrated panel if its DSC configuration did not change during precomputation in pre_validate_dsc(). At this point, however, dm_update_crtc_state() has already created new streams for CRTCs with DSC-independent mode changes. In turn, amdgpu_dm_commit_streams() will never release the old stream, resulting in a memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to the new stream either, which manifests as a use-after-free when the stream gets disabled later on: BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu] Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977 Workqueue: events drm_mode_rmfb_work_fn Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 print_address_description.constprop.0+0x88/0x320 ? dc_stream_release+0x25/0x90 [amdgpu] print_report+0xfc/0x1ff ? srso_alias_return_thunk+0x5/0xfbef5 ? __virt_addr_valid+0x225/0x4e0 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_report+0xe1/0x180 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_check_range+0x125/0x200 dc_stream_release+0x25/0x90 [amdgpu] dc_state_destruct+0x14d/0x5c0 [amdgpu] dc_state_release.part.0+0x4e/0x130 [amdgpu] dm_atomic_destroy_state+0x3f/0x70 [amdgpu] drm_atomic_state_default_clear+0x8ee/0xf30 ? drm_mode_object_put.part.0+0xb1/0x130 __drm_atomic_state_free+0x15c/0x2d0 atomic_remove_fb+0x67e/0x980 Since there is no reliable way of figuring out whether a CRTC has unrelated mode changes pending at the time of DSC validation, remember the value of the mode_changed flag from before the point where a CRTC was marked as potentially affected by a change in DSC configuration. Reset the mode_changed flag to this earlier value instead in pre_validate_dsc(). (cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b) |
CVE-2026-31488
|
| VCID-2cux-cw1j-43hw | kernel: LoongArch: BPF: Fix off-by-one error in build_prologue() |
CVE-2025-37893
|
| VCID-2cxv-ay17-4kh2 | kernel: Linux kernel: Denial of Service due to sleepable page allocation in KASAN |
CVE-2025-38029
|
| VCID-2e99-ge3p-13eq | kernel: dm-raid: really frozen sync_thread during suspend |
CVE-2024-35794
|
| VCID-2fsz-wcjz-9yer | kernel: ice: Don't process extts if PTP is disabled |
CVE-2024-42107
|
| VCID-2k4e-em5c-m3bv | kernel: sysfs: check visibility before changing group attribute ownership |
CVE-2025-40355
|
| VCID-2kan-b4em-f3fg | kernel: drm/amdgpu: remove two invalid BUG_ON()s |
CVE-2025-68201
|
| VCID-2kk2-cj4m-6ucm | kernel: md: Don't ignore suspended array in md_check_recovery() |
CVE-2024-26758
|
| VCID-2nz8-mxwk-dyfk | kernel: platform/x86: x86-android-tablets: Unregister devices in reverse order |
CVE-2024-40975
|
| VCID-2s7e-4bym-cbe1 | kernel: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() |
CVE-2025-40261
|
| VCID-2vqp-wpcw-pfbm | kernel: bpf: Prevent tailcall infinite loop caused by freplace |
CVE-2024-47794
|
| VCID-2wmk-4bjz-bbhh | kernel: ksmbd: fix use-after-free in ksmbd_free_work_struct |
CVE-2025-21967
|
| VCID-2xhv-1gcg-y3cs | kernel: bpf: consider that tail calls invalidate packet pointers |
CVE-2024-58237
|
| VCID-31hs-1pwx-7uak | kernel: drm/amdkfd: debugfs hang_hws skip GPU with MES |
CVE-2025-37853
|
| VCID-33re-7rh6-2bg4 | kernel: net: add proper RCU protection to /proc/net/ptype |
CVE-2026-23255
|
| VCID-341t-wy9a-p7fz | kernel: btrfs: do not free data reservation in fallback from inline due to -ENOSPC |
CVE-2025-71269
|
| VCID-348f-73cd-37h6 | kernel: mm/huge_memory: avoid PMD-size page cache if needed |
CVE-2024-42317
|
| VCID-366p-rhcz-8kb6 | kernel: Bluetooth: eir: Fix possible crashes on eir_create_adv_data |
CVE-2025-38303
|
| VCID-37t1-1qg2-hqc4 |
CVE-2026-23414
|
|
| VCID-38ja-dsj5-qyfc | kernel: eBPF: insufficient stack type checks in dynptr |
CVE-2023-39191
|
| VCID-3a8a-ns8q-wbgy | kernel: drm/amd/display: Check null pointers before using them |
CVE-2024-49922
|
| VCID-3aa5-4rp5-g7h3 | kernel: Linux kernel: Memory Corruption and Kernel Crashes via IOMMU SVA coherency issue |
CVE-2025-71202
|
| VCID-3ans-72mm-sfh1 | In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a double-put. |
CVE-2026-31489
|
| VCID-3ay8-sdv3-3ydv | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential deadlock in cpu hotplug with osnoise The following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK] Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock). |
CVE-2026-31480
|
| VCID-3bwh-381p-6qbh | kernel: drm/amd/display: 'panel_cntl' could be null in 'dcn21_set_backlight_level()' |
CVE-2024-26662
|
| VCID-3ccs-8xaf-wfgw | kernel: mm/filemap: skip to create PMD-sized page cache if needed |
CVE-2024-41031
|
| VCID-3d8r-1n1k-skff | kernel: io_uring: check for overflows in io_pin_pages |
CVE-2024-53187
|
| VCID-3eb4-ca4c-5qf7 | kernel: bpf: Fix kmemleak warning for percpu hashmap |
CVE-2025-37807
|
| VCID-3fpy-fq8u-r3gb | kernel: jfs: add check read-only before txBeginAnon() call |
CVE-2024-58095
|
| VCID-3jmx-jfhk-yqh5 | kernel: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind |
CVE-2026-23320
|
| VCID-3kg4-jbwg-zffk | kernel: spi: fix statistics allocation |
CVE-2026-23475
|
| VCID-3km6-xsxg-4bcr |
CVE-2026-31426
|
|
| VCID-3ktq-cbhp-8fhb | kernel: Linux kernel: Denial of Service in NVMe driver due to use-after-free vulnerability |
CVE-2025-68265
|
| VCID-3ng4-wb1y-wyem |
CVE-2026-23422
|
|
| VCID-3p2d-np1n-p3gv | kernel: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads |
CVE-2025-37833
|
| VCID-3pv5-s5r1-vkdg | Linux kernel: nfnetlink_osf: Linux kernel: Denial of Service in nfnetlink_osf via crafted network packets |
CVE-2026-23397
|
| VCID-3tns-khmb-aqbn | In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer. |
CVE-2026-31453
|
| VCID-3vk2-4sx1-aybu | kernel: video/aperture: optionally match the device in sysfb_disable() |
CVE-2024-46698
|
| VCID-3yg6-7zfv-gkaq | kernel: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket |
CVE-2024-53168
|
| VCID-3yzs-sjd2-53d7 | kernel: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them |
CVE-2026-23382
|
| VCID-4399-j8sn-t3b1 | kernel: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded |
CVE-2026-23310
|
| VCID-45qm-naju-pycn | kernel: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE |
CVE-2024-38564
|
| VCID-47k1-5vw2-97hy | kernel: drm/msm/dpu: Add callback function pointer check before its call |
CVE-2024-38622
|
| VCID-4bsb-hypz-5bav | kernel: drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini() |
CVE-2024-27041
|
| VCID-4ebq-x7rk-4ya3 | kernel: wifi: wilc1000: avoid buffer overflow in WID string configuration |
CVE-2025-39952
|
| VCID-4eg9-yh2g-a7gc | kernel: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray |
CVE-2024-42243
|
| VCID-4fhj-v5ut-eubv | kernel: mm/hugetlb: fix hugetlb_pmd_shared() |
CVE-2026-23100
|
| VCID-4g8h-bz4a-uydk | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided OutputBufferLength before copying the filename into FileName field of the smb2_file_all_info structure. If the filename length exceeds the available buffer space, it could lead to potential buffer overflows or memory corruption during smbConvertToUTF16 conversion. This calculating the actual free buffer size using smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is insufficient and updating smbConvertToUTF16 to use the actual filename length (clamped by PATH_MAX) to ensure a safe copy operation. |
CVE-2026-31433
|
| VCID-4ghv-w1sg-77hu | kernel: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using |
CVE-2025-38369
|
| VCID-4jvb-unxd-3qg3 |
CVE-2026-31423
|
|
| VCID-4kbk-38g4-6kb7 | kernel: bpf, lsm: Add check for BPF LSM return value |
CVE-2024-47703
|
| VCID-4mqx-42ea-53c3 | kernel: f2fs: fix to bail out in get_new_segment() |
CVE-2025-38333
|
| VCID-4n9m-77qv-fuaa | kernel: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection |
CVE-2025-71198
|
| VCID-4nrq-2zch-8uct | kernel: riscv: stacktrace: Disable KASAN checks for non-current tasks |
CVE-2025-40358
|
| VCID-4qwu-fw8y-t7et | kernel: jfs: Fix null-ptr-deref in jfs_ioc_trim |
CVE-2025-38203
|
| VCID-4qx6-ysye-efhu | kernel: accel/habanalabs: postpone mem_mgr IDR destruction to hpriv_release() |
CVE-2023-53353
|
| VCID-4s4m-bf1u-tyht | kernel: nvme-pci: fix race condition between reset and nvme_dev_disable() |
CVE-2024-50135
|
| VCID-4spt-a3n7-z7fu | kernel: Linux kernel: Denial of Service due to missing power management handler for AMD Van Gogh SoC |
CVE-2025-68334
|
| VCID-4t4h-a2xy-h7bg | kernel: drm/amd/display: Add a dc_state NULL check in dc_state_release |
CVE-2024-26948
|
| VCID-4uvy-ga5j-a7g3 | kernel: spi: lpspi: Avoid potential use-after-free in probe() |
CVE-2024-26866
|
| VCID-4vs9-vhrd-zfgn | kernel: jfs: add check read-only before truncation in jfs_truncate_nolock() |
CVE-2024-58094
|
| VCID-4wyy-uw7z-5be9 | kernel: net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work |
CVE-2025-40003
|
| VCID-5ahq-saw1-suf1 |
CVE-2026-31420
|
|
| VCID-5b4f-sket-kuge | kernel: f2fs: quota: fix to avoid warning in dquot_writeback_dquots() |
CVE-2025-23132
|
| VCID-5ehk-s7ww-vfc7 | kernel: platform/x86: think-lmi: Fix password opcode ordering for workstations |
CVE-2024-26836
|
| VCID-5eks-kg2z-5ye1 | In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug When trying to do a rather aggressive test of igt's "xe_module_load --r reload" with a full desktop environment and game running I noticed a few OOPSes when dereferencing freed pointers, related to framebuffers and property blobs after the compositor exits. Solve this by guarding the freeing in drm_file with drm_dev_enter/exit, and immediately put the references from struct drm_file objects during drm_dev_unplug(). Related warnings for framebuffers on the subtest: [ 739.713076] ------------[ cut here ]------------ WARN_ON(!list_empty(&dev->mode_config.fb_list)) [ 739.713079] WARNING: drivers/gpu/drm/drm_mode_config.c:584 at drm_mode_config_cleanup+0x30b/0x320 [drm], CPU#12: xe_module_load/13145 .... [ 739.713328] Call Trace: [ 739.713330] <TASK> [ 739.713335] ? intel_pmdemand_destroy_state+0x11/0x20 [xe] [ 739.713574] ? intel_atomic_global_obj_cleanup+0xe4/0x1a0 [xe] [ 739.713794] intel_display_driver_remove_noirq+0x51/0xb0 [xe] [ 739.714041] xe_display_fini_early+0x33/0x50 [xe] [ 739.714284] devm_action_release+0xf/0x20 [ 739.714294] devres_release_all+0xad/0xf0 [ 739.714301] device_unbind_cleanup+0x12/0xa0 [ 739.714305] device_release_driver_internal+0x1b7/0x210 [ 739.714311] device_driver_detach+0x14/0x20 [ 739.714315] unbind_store+0xa6/0xb0 [ 739.714319] drv_attr_store+0x21/0x30 [ 739.714322] sysfs_kf_write+0x48/0x60 [ 739.714328] kernfs_fop_write_iter+0x16b/0x240 [ 739.714333] vfs_write+0x266/0x520 [ 739.714341] ksys_write+0x72/0xe0 [ 739.714345] __x64_sys_write+0x19/0x20 [ 739.714347] x64_sys_call+0xa15/0xa30 [ 739.714355] do_syscall_64+0xd8/0xab0 [ 739.714361] entry_SYSCALL_64_after_hwframe+0x4b/0x53 and [ 739.714459] ------------[ cut here ]------------ [ 739.714461] xe 0000:67:00.0: [drm] drm_WARN_ON(!list_empty(&fb->filp_head)) [ 739.714464] WARNING: drivers/gpu/drm/drm_framebuffer.c:833 at drm_framebuffer_free+0x6c/0x90 [drm], CPU#12: xe_module_load/13145 [ 739.714715] RIP: 0010:drm_framebuffer_free+0x7a/0x90 [drm] ... [ 739.714869] Call Trace: [ 739.714871] <TASK> [ 739.714876] drm_mode_config_cleanup+0x26a/0x320 [drm] [ 739.714998] ? __drm_printfn_seq_file+0x20/0x20 [drm] [ 739.715115] ? drm_mode_config_cleanup+0x207/0x320 [drm] [ 739.715235] intel_display_driver_remove_noirq+0x51/0xb0 [xe] [ 739.715576] xe_display_fini_early+0x33/0x50 [xe] [ 739.715821] devm_action_release+0xf/0x20 [ 739.715828] devres_release_all+0xad/0xf0 [ 739.715843] device_unbind_cleanup+0x12/0xa0 [ 739.715850] device_release_driver_internal+0x1b7/0x210 [ 739.715856] device_driver_detach+0x14/0x20 [ 739.715860] unbind_store+0xa6/0xb0 [ 739.715865] drv_attr_store+0x21/0x30 [ 739.715868] sysfs_kf_write+0x48/0x60 [ 739.715873] kernfs_fop_write_iter+0x16b/0x240 [ 739.715878] vfs_write+0x266/0x520 [ 739.715886] ksys_write+0x72/0xe0 [ 739.715890] __x64_sys_write+0x19/0x20 [ 739.715893] x64_sys_call+0xa15/0xa30 [ 739.715900] do_syscall_64+0xd8/0xab0 [ 739.715905] entry_SYSCALL_64_after_hwframe+0x4b/0x53 and then finally file close blows up: [ 743.186530] Oops: general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP [ 743.186535] CPU: 3 UID: 1000 PID: 3453 Comm: kwin_wayland Tainted: G W 7.0.0-rc1-valkyria+ #110 PREEMPT_{RT,(lazy)} [ 743.186537] Tainted: [W]=WARN [ 743.186538] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021 [ 743.186539] RIP: 0010:drm_framebuffer_cleanup+0x55/0xc0 [drm] [ 743.186588] Code: d8 72 73 0f b6 42 05 ff c3 39 c3 72 e8 49 8d bd 50 07 00 00 31 f6 e8 3a 80 d3 e1 49 8b 44 24 10 49 8d 7c 24 08 49 8b 54 24 08 <48> 3b 38 0f 85 95 7f 02 00 48 3b 7a 08 0f 85 8b 7f 02 00 48 89 42 [ 743.186589] RSP: 0018:ffffc900085e3cf8 EFLAGS: 00 ---truncated--- |
CVE-2026-23471
|
| VCID-5g2a-qj5r-uub4 | kernel: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() |
CVE-2026-23336
|
| VCID-5gv4-c26w-gube | kernel: drm/amd/display: Fix null pointer deref in dcn20_resource.c |
CVE-2024-43899
|
| VCID-5gz4-1ysh-2qf7 | kernel: net: ena: Add validation for completion descriptors consistency |
CVE-2024-40999
|
| VCID-5hdv-pgsr-cfbm | kernel: bpf: Guard stack limits against 32bit overflow |
CVE-2023-52676
|
| VCID-5hrr-xvrw-ebd9 | kernel: mm/shmem: disable PMD-sized page cache if needed |
CVE-2024-42241
|
| VCID-5j3a-r6pk-2kdb | kernel: ALSA: hda: Fix missing pointer check in hda_component_manager_init function |
CVE-2025-40097
|
| VCID-5kdh-vgcu-kkf3 | In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150 |
CVE-2026-31515
|
| VCID-5nsy-fndc-7ka8 | kernel: tty: n_gsm: Don't block input queue by waiting MSC |
CVE-2025-40071
|
| VCID-5v5u-d5mg-53bv | kernel: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() |
CVE-2026-23284
|
| VCID-5wr6-yach-7fbf | kernel: crypto: stm32/cryp - call finalize with bh disabled |
CVE-2024-47658
|
| VCID-5yp2-meun-zbas | kernel: ax25: fix use-after-free bugs caused by ax25_ds_del_timer |
CVE-2024-35887
|
| VCID-5zuy-q1p8-hqex | kernel: coresight: Fix memory leak in acpi_buffer->pointer |
CVE-2023-53261
|
| VCID-61t7-s6qz-mfcf | kernel: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM |
CVE-2025-40289
|
| VCID-63m2-phjq-kuav | kernel: RISC-V: KVM: Write hgatp register with valid mode bits |
CVE-2025-40065
|
| VCID-64g2-43qf-5qg1 | kernel: ksmbd: fix overflow in dacloffset bounds check |
CVE-2025-22039
|
| VCID-651u-f45c-57de | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes from hci_conn_num() and is used directly. Cap the lookup to the last table entry before indexing it so the driver keeps selecting the highest supported alternate setting without reading past alts[]. |
CVE-2026-31497
|
| VCID-687u-nzmt-n7a6 | kernel: ila: serialize calls to nf_register_net_hooks() |
CVE-2024-57900
|
| VCID-6c3x-q991-5uh7 | kernel: net: enetc: allocate vf_state during PF probes |
CVE-2024-50298
|
| VCID-6cqc-um2d-1kfk | kernel: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() |
CVE-2026-23315
|
| VCID-6ejs-59g2-xkgg | kernel: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities |
CVE-2025-39707
|
| VCID-6hf1-vsj3-a3h5 | kernel: drm/msm: Add error handling for krealloc in metadata setup |
CVE-2025-39747
|
| VCID-6hur-ug1s-83am | In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13 |
CVE-2026-23472
|
| VCID-6jzb-qp5p-47ex | kernel: wifi: ath11k: fix RCU stall while reaping monitor destination ring |
CVE-2024-58097
|
| VCID-6n32-z9u6-gfch | kernel: f2fs: fix to truncate first page in error path of f2fs_truncate() |
CVE-2025-40137
|
| VCID-6pmw-nqja-affb | kernel: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path |
CVE-2025-23129
|
| VCID-6r1j-pnmx-mkdm | kernel: Linux Kernel: Denial of Service in iwlwifi due to improper firmware error handling |
CVE-2025-38096
|
| VCID-6r4x-xaaf-b7ft | kernel: drm/scheduler: signal scheduled fence when kill job |
CVE-2025-38436
|
| VCID-6syp-3js8-qudn | kernel: spi: fsl-qspi: use devm function instead of driver remove |
CVE-2025-37842
|
| VCID-6tb9-nnj3-57gv | kernel: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() |
CVE-2024-35951
|
| VCID-6wrr-yr71-xuhk | kernel: tcp: secure_seq: add back ports to TS offset |
CVE-2026-23247
|
| VCID-71m1-rn5c-k3hm | kernel: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects |
CVE-2025-39850
|
| VCID-724j-jc6b-5uba | kernel: block: fix resource leak in blk_register_queue() error path |
CVE-2025-37980
|
| VCID-72pd-9p33-9qhg | kernel: ceph: fix race condition validating r_parent before applying state |
CVE-2025-39927
|
| VCID-73mg-3qys-3ubr | kernel: ice: fix Tx scheduler error handling in XDP callback |
CVE-2025-38127
|
| VCID-76zh-5x51-kffx | kernel: fs/ntfs3: cancle set bad inode after removing name fails |
CVE-2025-38615
|
| VCID-7892-zv3s-xqhu | kernel: Linux kernel: Denial of Service in netfilter due to integer overflow |
CVE-2025-38162
|
| VCID-798e-hc82-7qcv | kernel: udp: Deal with race between UDP socket address change and rehash |
CVE-2024-57974
|
| VCID-7b27-phbd-fqbq | In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove(). |
CVE-2026-31485
|
| VCID-7dx8-ys84-zuac | kernel: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes |
CVE-2025-38041
|
| VCID-7eh9-dqkv-j3bm | kernel: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn |
CVE-2025-38042
|
| VCID-7ejt-hdra-93ez | kernel: blk-mq: fix tags leak when shrink nr_hw_queues |
CVE-2023-54227
|
| VCID-7ey4-wrhk-zfce | kernel: coresight: holding cscfg_csdev_lock while removing cscfg from csdev |
CVE-2025-38132
|
| VCID-7fcn-v6b9-yber | kernel: riscv: Fix IPIs usage in kfence_protect_page() |
CVE-2024-53687
|
| VCID-7fke-ahd3-e7ac | kernel: Bluetooth: hci_conn: Use disable_delayed_work_sync |
CVE-2024-56591
|
| VCID-7gw9-7kbs-2uh2 | kernel: landlock: Fix handling of disconnected directories |
CVE-2025-68736
|
| VCID-7hpf-k162-1ubu | kernel: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv |
CVE-2026-23035
|
| VCID-7hxb-dbmf-nufr | kernel: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() |
CVE-2024-56742
|
| VCID-7j8j-s3am-6bgv | kernel: Linux kernel: Denial of Service via double-increment of reference count in netfilter |
CVE-2025-39764
|
| VCID-7kxd-yjnx-m7f2 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce veth0_macvtap: entered promiscuous mode RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> __kasan_check_byte+0x12/0x40 lock_acquire+0x79/0x2e0 lock_sock_nested+0x48/0x100 ? l2cap_sock_ready_cb+0x46/0x160 l2cap_sock_ready_cb+0x46/0x160 l2cap_conn_start+0x779/0xff0 ? __pfx_l2cap_conn_start+0x10/0x10 ? l2cap_info_timeout+0x60/0xa0 ? __pfx___mutex_lock+0x10/0x10 l2cap_info_timeout+0x68/0xa0 ? process_scheduled_works+0xa8d/0x18c0 process_scheduled_works+0xb6e/0x18c0 ? __pfx_process_scheduled_works+0x10/0x10 ? assign_work+0x3d5/0x5e0 worker_thread+0xa53/0xfc0 kthread+0x388/0x470 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x51e/0xb90 ? __pfx_ret_from_fork+0x10/0x10 veth1_macvtap: entered promiscuous mode ? __switch_to+0xc7d/0x1450 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: batadv0: Interface activated: batadv_slave_1 netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce ieee80211 phy39: Selected rate control algorithm 'minstrel_ht' RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0 PKRU: 55555554 Kernel panic - not syncing: Fatal exception |
CVE-2026-31510
|
| VCID-7r8h-rr9v-7qht | kernel: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. |
CVE-2025-38438
|
| VCID-7t89-3m8t-1ydq | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix drm_edid leak in amdgpu_dm [WHAT] When a sink is connected, aconnector->drm_edid was overwritten without freeing the previous allocation, causing a memory leak on resume. [HOW] Free the previous drm_edid before updating it. (cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5) |
CVE-2026-31461
|
| VCID-7v4n-4x85-dygx | kernel: mm/userfaultfd: reset ptes when close() for wr-protected ones |
CVE-2024-36881
|
| VCID-7v66-8w2u-duf9 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] <TASK> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/file_table.c:470) [ 97.810430] task_work_run (kernel/task_work.c:235) [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) [ 97.810527] do_exit (kernel/exit.c:972) [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] do_group_exit (kernel/exit.c:1093) [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfs_read (fs/read_write.c:555) [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810960] arch_do_signal_or_restart (arch/ ---truncated--- |
CVE-2026-23462
|
| VCID-7vdf-qwa1-ubeg | kernel: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) |
CVE-2025-39932
|
| VCID-82f7-2axv-jbbf | kernel: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access |
CVE-2025-38704
|
| VCID-82py-ut98-qfb3 | kernel: iommu/amd/pgtbl: Fix possible race while increase page table level |
CVE-2025-39961
|
| VCID-868a-udb4-qfbm | kernel: ALSA: aloop: Fix racy access at PCM trigger |
CVE-2026-23191
|
| VCID-87gw-ezjs-cqcs | kernel: svcrdma: bound check rq_pages index in inline path |
CVE-2025-71068
|
| VCID-8859-uavn-xygj | kernel: xen: fix UAF in dmabuf_exp_from_pages() |
CVE-2025-38595
|
| VCID-887n-3662-zfba | kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params |
CVE-2024-58012
|
| VCID-898p-crnv-w7cb | In the Linux kernel, the following vulnerability has been resolved: HID: apple: avoid memory leak in apple_report_fixup() The apple_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. |
CVE-2026-31520
|
| VCID-8b4z-nus3-c7h8 | kernel: ksmbd: fix refcount leak causing resource not released |
CVE-2025-39720
|
| VCID-8bmx-4nbw-6qcn | kernel: ice: Fix memory leak in ice_set_ringparam() |
CVE-2026-23389
|
| VCID-8d9a-bf6e-dkga | kernel: scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs |
CVE-2024-57804
|
| VCID-8e38-5bq1-8be9 | kernel: Linux kernel: Denial of Service in SMB client due to deadlock during channel reconnection |
CVE-2025-38244
|
| VCID-8edx-kmgw-jue5 | kernel: can: j1939: implement NETDEV_UNREGISTER notification handler |
CVE-2025-39925
|
| VCID-8q1z-p2qp-nkbf | In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes. Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling m_reclaim_work because the inodegc worker can re-queue m_reclaim_work via xfs_inodegc_set_reclaimable. |
CVE-2026-31455
|
| VCID-8q49-pygk-33d1 | kernel: drm/amd/display: Check link_index before accessing dc->links[] |
CVE-2024-46813
|
| VCID-8qua-yr2x-s7fd | kernel: af_unix: Give up GC if MSG_PEEK intervened |
CVE-2026-23394
|
| VCID-8ssr-76q5-6kf4 | kernel: iomap: adjust read range correctly for non-block-aligned positions |
CVE-2025-68794
|
| VCID-8sv6-72c2-kybe | kernel: f2fs: don't reset unchangable mount option in f2fs_remount() |
CVE-2023-53447
|
| VCID-8ud8-f75a-jyew | kernel: ice: Fix improper extts handling |
CVE-2024-42139
|
| VCID-8xay-cepn-vfdd | In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request with a wrong password (DoS). Fix this by skipping session expiration when the failed request was a binding attempt, since the session does not belong to the current connection. The reference taken by ksmbd_session_lookup_slowpath() is still correctly released via ksmbd_user_session_put(). |
CVE-2026-31476
|
| VCID-8xdj-ys7r-rffm | kernel: ksmbd: add refcnt to ksmbd_conn struct |
CVE-2024-49988
|
| VCID-8zy9-cpzf-q3be | kernel: KVM: arm64: Get rid of userspace_irqchip_in_use |
CVE-2024-53195
|
| VCID-92j7-p476-97ca | kernel: f2fs: fix to do sanity check on direct node in truncate_dnode() |
CVE-2023-53846
|
| VCID-93ay-73z5-h7er | kernel: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers |
CVE-2025-21870
|
| VCID-93fb-qqv8-wyeb | kernel: eth: bnxt: always recalculate features after XDP clearing, fix null-deref |
CVE-2025-21682
|
| VCID-93h7-cr4j-sbfn | In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context. |
CVE-2026-31502
|
| VCID-93jq-59ak-xygv | kernel: spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer |
CVE-2024-42279
|
| VCID-93yj-3vbb-3ub5 | kernel: bpf: Check the helper function is valid in get_helper_proto |
CVE-2025-39990
|
| VCID-94ha-pwzk-dbdt | kernel: Linux kernel (mlx5e): Denial of Service due to NULL pointer dereference during network profile change |
CVE-2026-23000
|
| VCID-94k1-ja9w-2fd2 |
CVE-2026-31421
|
|
| VCID-94kq-ycmm-3bgn | kernel: LoongArch: Update cpu_sibling_map when disabling nonboot CPUs |
CVE-2024-26841
|
| VCID-98mp-5h68-73eg | kernel: Linux kernel: Denial of Service during UFS power down |
CVE-2025-68236
|
| VCID-98y4-8sve-mfbz | kernel: mlx5: Fix default values in create CQ |
CVE-2025-68209
|
| VCID-995q-6nn5-ykgg | kernel: scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() |
CVE-2024-57872
|
| VCID-99f9-ne8p-d7c5 | kernel: LoongArch: BPF: Don't override subprog's return value |
CVE-2025-22048
|
| VCID-9axb-sz3w-ubcx | In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it. |
CVE-2026-23439
|
| VCID-9axt-c2hy-63eb | kernel: net/sched: act_mirred: use the backlog for mirred ingress |
CVE-2024-26740
|
| VCID-9azr-qrcs-k7by | kernel: netfilter: nf_tables: fix memleak in map from abort path |
CVE-2024-27011
|
| VCID-9cpj-kd98-33bz | kernel: net/sched: act_gate: snapshot parameters with RCU on replace |
CVE-2026-23245
|
| VCID-9cuj-t2sc-bbdj | kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions |
CVE-2026-23317
|
| VCID-9dfd-an6h-67gp | kernel: btrfs: do not strictly require dirty metadata threshold for metadata writepages |
CVE-2026-23157
|
| VCID-9dms-q8x2-a3em | kernel: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error |
CVE-2025-21732
|
| VCID-9ej7-7tra-zqcm | kernel: netfilter: nft_set_rbtree: validate open interval overlap |
CVE-2026-23333
|
| VCID-9fn1-ytny-vke1 | kernel: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() |
CVE-2024-52559
|
| VCID-9hnv-7gae-2kc8 | kernel: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv |
CVE-2026-22996
|
| VCID-9jq2-6zek-rqh3 | kernel: ublk: santizize the arguments from userspace when adding a device |
CVE-2025-38182
|
| VCID-9kuz-7fag-4qhv | kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain() |
CVE-2026-23231
|
| VCID-9m2t-y1zb-hfar |
CVE-2026-31412
|
|
| VCID-9n5j-cp2p-qkhc | kernel: Linux kernel:A use-after-free in bridge multicast in br_multicast_port_ctx_init |
CVE-2025-38248
|
| VCID-9ns9-s6pf-d7hr | kernel: Linux kernel: Denial of Service via integer overflow in dm-stripe |
CVE-2025-39940
|
| VCID-9qfp-tkn1-uqa8 | kernel: net: fec: handle page_pool_dev_alloc_pages error |
CVE-2025-21676
|
| VCID-9qhe-6xhk-hfhf | kernel: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() |
CVE-2026-23289
|
| VCID-9sm6-shj5-cqh5 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc. |
CVE-2026-23444
|
| VCID-9sqm-1ubb-zqhr | kernel: Linux kernel: Denial of Service in RDMA subsystem via repeated SRQ modification |
CVE-2025-68379
|
| VCID-9t5k-1w4u-8kep | kernel: RDMA/rxe: Remove the direct link to net_device |
CVE-2024-57795
|
| VCID-9tb7-5mp1-pkhc | kernel: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC |
CVE-2025-21894
|
| VCID-9tbh-mrhu-v3am | kernel: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port |
CVE-2025-38597
|
| VCID-9zgh-r671-7ufw | kernel: start_kernel: Add __no_stack_protector function attribute |
CVE-2023-53491
|
| VCID-9zxp-tyb1-ubg8 | kernel: md/dm-raid: don't call md_reap_sync_thread() directly |
CVE-2024-35808
|
| VCID-a1ez-xh2w-7ba6 | In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` Fix this by initializing the jbd2_inode first. Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after initialization. Readers use READ_ONCE() to fetch the pointer. |
CVE-2026-31450
|
| VCID-a1rd-xu94-9bad | kernel: amd/amdkfd: sync all devices to wait all processes being evicted |
CVE-2024-36949
|
| VCID-a1xg-dyn3-skb6 | kernel: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ |
CVE-2026-23395
|
| VCID-a29y-u4f3-nkfk | kernel: staging: most: remove broken i2c driver |
CVE-2025-68755
|
| VCID-a2jn-1xhp-9fg3 | kernel: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() |
CVE-2025-68190
|
| VCID-a36h-pqj3-9bhe | kernel: xdp: produce a warning when calculated tailroom is negative |
CVE-2026-23343
|
| VCID-a3d8-8qvy-ykdr | kernel: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting |
CVE-2026-23371
|
| VCID-a3yj-v3tu-d7ga | kernel: RDMA/mlx5: Move events notifier registration to be after device registration |
CVE-2024-53224
|
| VCID-a51v-ajen-u7et | kernel: wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change |
CVE-2024-46860
|
| VCID-a5tz-dm6g-zqch | kernel: smb: client: Don't log plaintext credentials in cifs_set_cifscreds |
CVE-2026-23303
|
| VCID-a6ke-6716-fker | kernel: netfilter: nft_ct: add seqadj extension for natted connections |
CVE-2025-68206
|
| VCID-a7fz-5z23-17ey | kernel: cyttsp4_core: use-after-free in cyttsp4_watchdog_work() |
CVE-2023-4134
|
| VCID-a89e-bca3-1qfg | kernel: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() |
CVE-2024-50282
|
| VCID-a8cp-9ykt-xbdx | kernel: bpf: support non-r10 register spill/fill to/from stack in precision tracking |
CVE-2023-52920
|
| VCID-a8ja-eegd-yqhk | kernel: net/mlx5: Register devlink first under devlink lock |
CVE-2024-35961
|
| VCID-a8u6-m3s1-5fdx | kernel: mm/smaps: fix race between smaps_hugetlb_range and migration |
CVE-2025-39754
|
| VCID-aawx-4bwq-5ubw | kernel: Linux kernel Bluetooth: Denial of Service due to use-after-free in connection handling |
CVE-2023-53762
|
| VCID-abcd-nfuq-2kc6 | kernel: Linux kernel: Denial of Service via use-after-free in IMM SCSI host adapter |
CVE-2025-68324
|
| VCID-abfm-ssmn-1fap | kernel: fs/ntfs3: Mark inode as bad as soon as error detected in mi_enum_attr() |
CVE-2024-52560
|
| VCID-ah9v-pkq9-uqek | kernel: spi-rockchip: Fix register out of bounds access |
CVE-2025-38081
|
| VCID-ahsf-n2te-bfa2 | kernel: md/raid10: wait barrier before returning discard request with REQ_NOWAIT |
CVE-2025-40325
|
| VCID-ahvx-mjgn-5fa8 | kernel: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop |
CVE-2026-23113
|
| VCID-aj3p-9trr-87cz | kernel: net/ncsi: Disable the ncsi work before freeing the associated structure |
CVE-2024-49945
|
| VCID-ajfm-hpzg-uqck | kernel: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() |
CVE-2026-23327
|
| VCID-ajr2-wmhj-fbbj | kernel: ksmbd: fix use-after-free of share_conf in compound request |
CVE-2026-23428
|
| VCID-akq2-c6hp-tfda | kernel: crypto: hisilicon/qm - request reserved interrupt for virtual function |
CVE-2025-40136
|
| VCID-akv9-pdny-1yh6 | kernel: fs: ntfs3: check return value of indx_find to avoid infinite loop |
CVE-2025-71266
|
| VCID-an5c-5rea-u3aq | kernel: dlm: prevent NPD when writing a positive value to event_done |
CVE-2025-23131
|
| VCID-ans1-wmuz-e3bw | kernel: memory leak in ubi driver |
CVE-2024-25740
|
| VCID-apfq-mqch-jkgr | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length. |
CVE-2026-23457
|
| VCID-asy4-m48b-xydu | kernel: netfilter: nf_tables: release flowtable after rcu grace period on error |
CVE-2026-23392
|
| VCID-atux-q6hk-hfau | kernel: loop: Avoid updating block size under exclusive owner |
CVE-2025-38709
|
| VCID-av2k-qrby-suhg | kernel: LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context |
CVE-2024-50111
|
| VCID-awuq-scq3-fuev | kernel: drm/msm/dpu: Add missing NULL pointer check for pingpong interface |
CVE-2025-71138
|
| VCID-aywj-7j4w-z3au | kernel: drm/vmwgfx: Unmap the surface before resetting it on a plane state |
CVE-2023-52648
|
| VCID-aze6-wgfm-3ycv | kernel: ASoC: SOF: avoid a NULL dereference with unsupported widgets |
CVE-2023-54233
|
| VCID-b1an-t4b8-4bd1 | kernel: net: usb: pegasus: validate USB endpoints |
CVE-2026-23290
|
| VCID-b2kt-hmz5-yuhb | kernel: mm: fix uprobe pte be overwritten when expanding vma |
CVE-2025-38207
|
| VCID-b4ct-fnbp-43a3 | kernel: cxgb4: use-after-free in ch_flower_stats_cb() |
CVE-2023-4133
|
| VCID-b51x-3ss2-67ex | kernel: RDMA/siw: Fix potential NULL pointer dereference in header processing |
CVE-2026-23242
|
| VCID-b9uq-ggy1-eyan | kernel: Linux kernel: Denial of Service in qla2xxx SCSI driver due to improper command handling after chip reset |
CVE-2025-68745
|
| VCID-ba6k-mvxj-8udm | hw: amd: Instruction raise #VC exception at exit |
CVE-2024-25742
|
| VCID-bcd9-e6dd-r3cf | kernel: btrfs: harden block_group::bg_list against list_del() races |
CVE-2025-37856
|
| VCID-beg3-c4a1-cfay | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale. 3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown. Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smb_lock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locks_free_lock(rlock) in the shared cleanup. Found via call-graph analysis using sqry. |
CVE-2026-31477
|
| VCID-bens-aw9k-xka2 | kernel: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy |
CVE-2025-21635
|
| VCID-bf5y-rqaa-afc9 | kernel: f2fs: fix to truncate meta inode pages forcely |
CVE-2024-26869
|
| VCID-bfjx-x5b3-53bg | kernel: of: unittest: Fix memory leak in unittest_data_add() |
CVE-2026-23137
|
| VCID-bg8h-jw13-8yhk | In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. |
CVE-2023-21264
|
| VCID-bkp8-m2yc-qub7 | kernel: cxl: Fix race of nvdimm_bus object when creating nvdimm objects |
CVE-2026-23348
|
| VCID-bnbm-zhck-yfex | kernel: ALSA: control: Avoid WARN() for symlink errors |
CVE-2024-56657
|
| VCID-bpmy-u7wr-kude | kernel: can: mcp251x: fix deadlock in error path of mcp251x_open |
CVE-2026-23357
|
| VCID-bq18-jcph-kkhh | kernel: perf: RISCV: Fix panic on pmu overflow handler |
CVE-2024-26902
|
| VCID-bq5a-jeg3-9ua7 | kernel: nfc: pn533: properly drop the usb interface reference on disconnect |
CVE-2026-23291
|
| VCID-brte-gqy3-r3ax | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning. |
CVE-2026-31432
|
| VCID-brwq-qcbd-c3ep | kernel: x86/mm: Randomize per-cpu entry area |
CVE-2023-0597
|
| VCID-buyh-2d37-rqb1 | kernel: bpf: bpf_sk_storage: Fix invalid wait context lockdep report |
CVE-2023-53857
|
| VCID-bxaj-dwje-sbhe | kernel: drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection |
CVE-2024-47662
|
| VCID-c2ee-9r7y-9qfw | kernel: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() |
CVE-2024-58006
|
| VCID-c2me-ar1y-y7dw | kernel: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() |
CVE-2026-23004
|
| VCID-c2y9-myfb-s3f6 | kernel: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client |
CVE-2024-53114
|
| VCID-c3wk-9gm2-fkeq | kernel: drm/amd/display: Refactor DMCUB enter/exit idle interface |
CVE-2023-52625
|
| VCID-c42q-j659-e3gt | kernel: Linux kernel: PCI/ASPM use-after-free during hot-unplug |
CVE-2024-58093
|
| VCID-c49r-knse-6bc5 | kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length |
CVE-2025-39933
|
| VCID-c7xf-x7d5-87gn |
CVE-2026-31418
|
|
| VCID-c86j-dzs8-nuem | kernel: Bluetooth: MGMT: Protect mgmt_pending list with its own lock |
CVE-2025-38117
|
| VCID-c8qb-kbef-8qg8 | kernel: Bluetooth: HCI: Remove HCI_AMP support |
CVE-2024-38620
|
| VCID-c8t3-zakp-jqe2 | kernel: drm/amd/display: increase max link count and fix link->enc NULL pointer access |
CVE-2025-40354
|
| VCID-c8xs-q7hr-uua8 | kernel: hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur |
CVE-2025-21656
|
| VCID-c9br-38nh-sfg4 | kernel: ksmbd: fix null pointer dereference in alloc_preauth_hash() |
CVE-2025-22037
|
| VCID-c9h3-3nm5-jqcq | kernel: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings |
CVE-2024-42158
|
| VCID-cayc-j15f-ekdv | kernel: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() |
CVE-2026-23279
|
| VCID-cbrz-vaxe-b3dt | kernel: iommu/vt-d: Fix NULL domain on device release |
CVE-2024-27079
|
| VCID-cear-n94a-jqdq | kernel: KVM: arm64: Fix circular locking dependency |
CVE-2024-26691
|
| VCID-cecv-w1gr-qkbp | kernel: tracing: Fix crash on synthetic stacktrace field usage |
CVE-2026-23088
|
| VCID-cfms-gd2h-v7gd | kernel: f2fs: fix to do sanity check on node footer for non inode dnode |
CVE-2025-40025
|
| VCID-chgp-ama8-5ycb | In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error. |
CVE-2026-31518
|
| VCID-cjnk-7asz-zuhp | kernel: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing |
CVE-2026-23383
|
| VCID-cn7e-8bbs-rubj | kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion |
CVE-2025-21729
|
| VCID-cp52-z8dw-gfhf | kernel: rxrpc: Fix handling of received connection abort |
CVE-2024-58053
|
| VCID-cqrs-uu2s-affj | kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command() |
CVE-2026-23306
|
| VCID-cqye-p3y7-bfdp | kernel: mm/thp: fix deferred split unqueue naming and locking |
CVE-2024-53079
|
| VCID-cs7h-d7vk-73ab | kernel: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend |
CVE-2025-71193
|
| VCID-cv97-j139-vbfz | In the Linux kernel, the following vulnerability has been resolved: ext4: convert inline data to extents when truncate exceeds inline size Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline. Without this fix, the following sequence causes a kernel BUG_ON(): 1. Mount filesystem with inode that has inline flag set and small size 2. truncate(file, 50MB) - grows size but inline flag remains set 3. sendfile() attempts to write data 4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity) The crash occurs because ext4_write_inline_data() expects inline storage to accommodate the write, but the actual inline capacity (~60 bytes for i_block + ~96 bytes for xattrs) is far smaller than the file size and write request. The fix checks if the new size from setattr exceeds the inode's actual inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to extent-based storage before proceeding with the size change. This addresses the root cause by ensuring the inline data flag and file size remain consistent during truncate operations. |
CVE-2026-31452
|
| VCID-cvcu-khre-3bc8 | kernel: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception |
CVE-2025-37957
|
| VCID-cvps-1xf8-kqb5 | kernel: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits |
CVE-2025-71109
|
| VCID-cvw6-a674-zfa9 | kernel: drm/amd/display: Check null pointer before try to access it |
CVE-2024-49906
|
| VCID-cwk5-n1mq-kkd2 | In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1] |
CVE-2026-31527
|
| VCID-cwnm-um2n-17cw | kernel: net: fix NULL pointer dereference in l3mdev_l3_rcv |
CVE-2025-22103
|
| VCID-cxtx-363a-ufhd | kernel: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() |
CVE-2024-36013
|
| VCID-czue-c27z-bkgp | kernel: mm/vmemmap/devdax: fix kernel crash when probing devdax devices |
CVE-2023-53706
|
| VCID-d131-p16m-jqhd | kernel: drm/amdgpu: fix double free err_addr pointer warnings |
CVE-2024-42123
|
| VCID-d14h-dr7c-c3d9 | kernel: net: ravb: Fix missing rtnl lock in suspend/resume path |
CVE-2025-21801
|
| VCID-d1gu-5q4s-p7eq | kernel: net/smc: fix UAF on smcsk after smc_listen_out() |
CVE-2025-38734
|
| VCID-d1ke-rn87-f7ec | kernel: drm/amd/display: Fix handling of plane refcount |
CVE-2024-56775
|
| VCID-d2xf-68nr-rqe2 | kernel: drm/amdgpu: Skip do PCI error slot reset during RAS recovery |
CVE-2024-35931
|
| VCID-d3x6-8uek-qkgn | kernel: scsi: ufs: core: Fix handling of lrbp->cmd |
CVE-2023-53510
|
| VCID-d4u6-bzuu-dubz | kernel: dmaengine: lpc18xx-dmamux: fix device leak on route allocation |
CVE-2025-71188
|
| VCID-d5cu-m235-x3gr | kernel: fs/ntfs3: Return error for inconsistent extended attributes |
CVE-2023-54125
|
| VCID-d83g-5tdr-7fd5 | kernel: gve: Account for stopped queues when reading NIC stats |
CVE-2024-42162
|
| VCID-d8ad-6vw9-b7f2 | kernel: drm/amd/display: fix a Null pointer dereference vulnerability |
CVE-2025-39705
|
| VCID-d8tr-usd8-6yca | kernel: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV |
CVE-2025-40219
|
| VCID-d9ty-7748-33a7 | kernel: net/smc: initialize close_work early to avoid warning |
CVE-2024-56641
|
| VCID-dav4-474s-33hg | kernel: drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability |
CVE-2024-53051
|
| VCID-dcd5-4y9y-euf5 | kernel: drm/amd/display: Wake DMCUB before sending a command cause deadlock |
CVE-2023-52485
|
| VCID-dda8-c6rr-sqgq | kernel: hfs: fix general protection fault in hfs_find_init() |
CVE-2025-38716
|
| VCID-ddm7-5p27-3khg | kernel: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags |
CVE-2024-39508
|
| VCID-dfj9-5xtt-qba4 | kernel: smb: Initialize cfid->tcon before performing network ops |
CVE-2024-56729
|
| VCID-dgr2-7fpq-4bgv | In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? ? broken_subvol and similarly stat-ing the file fails. In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck. dmesg contains a single notable error message reading: "could not do orphan cleanup -2" 2 is ENOENT and the error comes from the failure handling path of btrfs_orphan_cleanup(), with the stack leading back up to btrfs_lookup(). btrfs_lookup btrfs_lookup_dentry btrfs_orphan_cleanup // prints that message and returns -ENOENT After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later. - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want. i.e., btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode->vfs_inode)->vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfs_orphan_cleanup() and set the bit. The final important observation is that create_subvol() calls d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfs_orphan_cleanup() for the first time. This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent->d_lockref.count via dget in d_alloc(), released in __dentry_kill()) and prevent the parent from being removed from the dentry cache. The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode. If the file is unlinked and closed while those refs are held, iput() in __dentry_kill() decrements i_count but does not trigger eviction (i_count > 0). The child dentry is freed and the subvol dentry's d_lockref.count drops to 0, making it evictable while the inode is still alive. Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture. (Only the second and third are races) Phase 1: Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set btrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c ---truncated--- |
CVE-2026-31519
|
| VCID-dp4x-6duw-8yeh | kernel: wifi: rtw88: delete timer and free skb queue when unloading |
CVE-2023-53574
|
| VCID-dqe1-cf2v-myes | kernel: ocfs2: Avoid touching renamed directory if parent does not change |
CVE-2023-52590
|
| VCID-dqp6-k3du-n3ep | kernel: btrfs: subpage: keep TOWRITE tag until folio is cleaned |
CVE-2025-39779
|
| VCID-drqe-npyk-5yfa | kernel: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper |
CVE-2025-38014
|
| VCID-ds3w-wph8-7kam | kernel: drm/gem: Acquire references on GEM handles for framebuffers |
CVE-2025-38449
|
| VCID-dsrd-nv6n-5ygq | kernel: scsi: core: Fix refcount leak for tagset_refcnt |
CVE-2026-23296
|
| VCID-dtzb-vs94-3ygt | kernel: arm64: set __exception_irq_entry with __irq_entry as a default |
CVE-2023-54322
|
| VCID-dwes-ct77-juc8 | Kernel: A use-after-free due to race between scr24x_open() and scr24x_remove() |
CVE-2022-44034
|
| VCID-dykz-252m-jkcu | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h. |
CVE-2026-31486
|
| VCID-dyun-rd3c-rke6 | kernel: drm/amd/display: Avoid overflow from uint32_t to uint8_t |
CVE-2024-47661
|
| VCID-dzye-v1vd-gybq | kernel: ksmbd: fix use-after-free in __smb2_lease_break_noti() |
CVE-2025-37777
|
| VCID-e1pe-znzp-jqhx | kernel: LoongArch: Optimize module load time by optimizing PLT/GOT counting |
CVE-2025-39767
|
| VCID-e2vy-prvw-xkhq | kernel: bnxt_en: Fix memory corruption when FW resources change during ifdown |
CVE-2025-39810
|
| VCID-e2wu-3vmz-3yae | kernel: drm: zynqmp_kms: Unplug DRM device before removal |
CVE-2024-56538
|
| VCID-e42z-ac66-gye3 | kernel: ksmbd: check outstanding simultaneous SMB operations |
CVE-2024-50285
|
| VCID-e495-c57w-tkft | kernel: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware |
CVE-2024-47664
|
| VCID-e4jw-y3k8-r7ec | kernel: net/mlx5e: Fix netif state handling |
CVE-2024-38608
|
| VCID-e57d-cw7e-73an | kernel: media: av7110: fix a spectre vulnerability |
CVE-2024-50289
|
| VCID-e6th-hujj-6bby | kernel: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags |
CVE-2024-49923
|
| VCID-e7ae-83vq-auf1 | kernel: btrfs: fix NULL dereference on root when tracing inode eviction |
CVE-2025-71184
|
| VCID-e8ky-fyhz-dqhc | In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it. |
CVE-2026-31464
|
| VCID-e965-zevp-rqgd | kernel: erofs: Fix detection of atomic context |
CVE-2023-53231
|
| VCID-e9d9-jb9v-jufv | kernel: net/mlx5: Reload only IB representors upon lag disable/enable |
CVE-2024-38557
|
| VCID-ea36-7v42-fyfp | kernel: usb: typec: tipd: Free IRQ only if it was requested before |
CVE-2024-50057
|
| VCID-ecc5-64vs-ekgr | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM ->tfm_count leak If memory allocation fails, decrement ->tfm_count to avoid blocking future reads. |
CVE-2026-31391
|
| VCID-ed3p-sm1w-33am | kernel: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled |
CVE-2026-23293
|
| VCID-edhy-ptjn-1kbx | kernel: driver core: fix potential NULL pointer dereference in dev_uevent() |
CVE-2025-37800
|
| VCID-edst-7exd-zud8 | kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match() |
CVE-2025-40168
|
| VCID-eetb-e929-77bc | kernel: wifi: ath11k: update channel list in reg notifier instead reg worker |
CVE-2025-23133
|
| VCID-ehtx-jr8g-vbgb | kernel: cifs: fix potential race when tree connecting ipc |
CVE-2023-54280
|
| VCID-emdc-7k4g-67e5 | kernel: net: kcm: Fix race condition in kcm_unattach() |
CVE-2025-38717
|
| VCID-enyv-k9c5-bfe4 | kernel: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() |
CVE-2025-68188
|
| VCID-es8r-wvmz-gfe6 | kernel: net/sched: Fix backlog accounting in qdisc_dequeue_internal |
CVE-2025-39677
|
| VCID-esup-2y63-afa4 | kernel: cifs: client: fix memory leak in smb3_fs_context_parse_param |
CVE-2025-40268
|
| VCID-etb2-844u-jfdu | kernel: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() |
CVE-2024-36968
|
| VCID-ete6-ycnw-7kgg | kernel: Input: alps - fix use-after-free bugs caused by dev3_register_work |
CVE-2025-68822
|
| VCID-ew57-csay-bube | kernel: Bluetooth: hci_core: Fix use-after-free in vhci_flush() |
CVE-2025-38250
|
| VCID-ewj3-dyq9-r7f2 | kernel: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset |
CVE-2026-23213
|
| VCID-ex4p-ftap-h7fe | kernel: net: annotate data-races around sk->sk_{data_ready,write_space} |
CVE-2026-23302
|
| VCID-ex8u-z3r8-cycq | In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. |
CVE-2026-23442
|
| VCID-ex9p-euhg-aybf | kernel: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue |
CVE-2025-37861
|
| VCID-exhn-kypt-2fbd | kernel: jfs: fix array-index-out-of-bounds read in add_missing_indices |
CVE-2025-38204
|
| VCID-exkc-gh4x-p3bh | kernel: drm/amd/display: Wake DMCUB before executing GPINT commands |
CVE-2023-52624
|
| VCID-ey68-cc97-duhz | kernel: drm/amd/display: Fix incorrect size calculation for loop |
CVE-2024-46729
|
| VCID-eyg8-qhra-ukcj | kernel: RDMA/mlx5: Fix implicit ODP use after free |
CVE-2025-21714
|
| VCID-ezwh-qc41-pugn | kernel: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object |
CVE-2025-39851
|
| VCID-f1r5-rt1y-jkd4 | kernel: rxrpc: Fix data-race warning and potential load/store tearing |
CVE-2026-23118
|
| VCID-f2ce-pung-aqgw | kernel: Linux kernel: Denial of Service in rxrpc due to prealloc collision |
CVE-2025-38544
|
| VCID-f2m2-u9j3-3ba9 | kernel: fs/9p: fix NULL pointer dereference on mkdir |
CVE-2025-22070
|
| VCID-f2u9-7eeg-e7cg | kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr |
CVE-2025-68183
|
| VCID-f3sv-pbfs-cqcc | kernel: um: work around sched_yield not yielding in time-travel mode |
CVE-2025-37880
|
| VCID-f5xt-m6qt-43ep | kernel: btrfs: fix deadlock with fiemap and extent locking |
CVE-2024-35784
|
| VCID-f76c-qhke-3bag | kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message |
CVE-2026-23307
|
| VCID-f892-ybkq-kbd7 | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize free_qp completion before using it In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call. |
CVE-2026-31492
|
| VCID-f968-vrzv-8ke5 | kernel: bpf: Defer work in bpf_timer_cancel_and_free |
CVE-2024-41045
|
| VCID-fe76-s8g9-zuar | kernel: smb: client: fix UAF in decryption with multichannel |
CVE-2025-37750
|
| VCID-ffdb-88yu-3be1 | kernel: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() |
CVE-2026-23356
|
| VCID-fhme-yjgr-suep | kernel: habanalabs: fix UAF in export_dmabuf() |
CVE-2025-38722
|
| VCID-fhxv-d8du-rbgk | kernel: btrfs: do proper folio cleanup when run_delalloc_nocow() failed |
CVE-2024-57975
|
| VCID-fmjc-a468-fffw | kernel: f2fs: split initial and dynamic conditions for extent_cache |
CVE-2023-52770
|
| VCID-fqzh-sckm-a3ff | kernel: bpf: support deferring bpf_link dealloc to after RCU grace period |
CVE-2024-35860
|
| VCID-fs73-5ucn-qke1 | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdev_destroy() callback can proceed immediately to the call_rcu() invocation if the IFF_OVS_DATAPATH flag is already cleared on the netdev. The ovs_netdev_detach_dev() function clears the flag before completing the unregistration, and if it gets preempted after clearing the flag (as can happen on an -rt kernel), netdev_destroy() can complete and the device can be freed before the unregistration completes. This leads to a splat like: [ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI [ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT [ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025 [ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0 [ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90 [ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246 [ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000 [ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05 [ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000 [ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006 [ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000 [ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000 [ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0 [ 998.393944] PKRU: 55555554 [ 998.393946] Call Trace: [ 998.393949] <TASK> [ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch] [ 998.394009] ? __die_body.cold+0x8/0x12 [ 998.394016] ? die_addr+0x3c/0x60 [ 998.394027] ? exc_general_protection+0x16d/0x390 [ 998.394042] ? asm_exc_general_protection+0x26/0x30 [ 998.394058] ? dev_set_promiscuity+0x8d/0xa0 [ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch] [ 998.394092] dp_device_event+0x41/0x80 [openvswitch] [ 998.394102] notifier_call_chain+0x5a/0xd0 [ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60 [ 998.394110] rtnl_dellink+0x169/0x3e0 [ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0 [ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0 [ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0 [ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 998.394132] netlink_rcv_skb+0x50/0x100 [ 998.394138] netlink_unicast+0x292/0x3f0 [ 998.394141] netlink_sendmsg+0x21b/0x470 [ 998.394145] ____sys_sendmsg+0x39d/0x3d0 [ 998.394149] ___sys_sendmsg+0x9a/0xe0 [ 998.394156] __sys_sendmsg+0x7a/0xd0 [ 998.394160] do_syscall_64+0x7f/0x170 [ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 998.394165] RIP: 0033:0x7fad61bf4724 [ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 [ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724 [ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003 [ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f [ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2 ---truncated--- |
CVE-2026-31508
|
| VCID-fsjs-fmwz-x3bd | kernel: md: suspend array while updating raid_disks via sysfs |
CVE-2025-71225
|
| VCID-fufn-uqtv-wkas | kernel: f2fs: fix to avoid panic once fallocation fails for pinfile |
CVE-2025-23130
|
| VCID-fvam-jks7-jkbt | kernel: drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update |
CVE-2024-46727
|
| VCID-fvhu-1xqw-fkbk | kernel: netfilter: nf_tables: restore set elements when delete set fails |
CVE-2024-27012
|
| VCID-fvvb-p7r7-zkbk |
CVE-2026-31422
|
|
| VCID-fx2q-84en-qyah | kernel: can: bcm: fix locking for bcm_op runtime updates |
CVE-2026-23362
|
| VCID-fz9m-axm1-4kcb | kernel: wifi: rtw89: fix null pointer access when abort scan |
CVE-2024-35946
|
| VCID-g162-81ms-93g7 | kernel: ipv6: use RCU in ip6_output() |
CVE-2025-40158
|
| VCID-g2gb-t5zm-1qb1 | kernel: net: mctp: Don't access ifa_index when missing |
CVE-2025-38006
|
| VCID-g2yr-d1ta-93g7 | In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/ |
CVE-2026-31521
|
| VCID-g34c-hwct-tqb1 | kernel: ptp: Add a upper bound on max_vclocks |
CVE-2025-40057
|
| VCID-g3ku-5npc-v7gc | kernel: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock |
CVE-2026-23368
|
| VCID-g4qj-az94-83c6 | kernel: btrfs: avoid NULL pointer dereference if no valid extent tree |
CVE-2025-21658
|
| VCID-g75p-x4da-efdt | kernel: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices |
CVE-2025-21649
|
| VCID-g7k7-e2h7-a7f6 | kernel: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata |
CVE-2025-71265
|
| VCID-g82z-3144-u3d2 | In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context. |
CVE-2026-31493
|
| VCID-g8k1-wwq1-yka2 | In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net. |
CVE-2026-31516
|
| VCID-gbkk-anun-a3ce |
CVE-2025-54505
XSA-488 |
|
| VCID-gcqh-ytsa-f7g1 | kernel: drm/amd/display: Run DC_LOG_DC after checking link->link_enc |
CVE-2024-46776
|
| VCID-gkap-5jhj-tbff | kernel: net/sched: act_ife: Fix metalist update behavior |
CVE-2026-23378
|
| VCID-gkhm-29a6-7uc6 | kernel: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() |
CVE-2025-38195
|
| VCID-gm3e-d4pv-53aq | kernel: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' |
CVE-2024-26661
|
| VCID-gmun-zz47-suap | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue maps, which would race with the now interrupt driven queue and may cause double completions. |
CVE-2026-31523
|
| VCID-gn82-9qs1-37hs | kernel: drm/amdgpu: fix nullptr err of vm_handle_moved |
CVE-2025-40339
|
| VCID-gpcp-4y8w-fka1 | kernel: nfc: nci: complete pending data exchange on device close |
CVE-2026-23330
|
| VCID-gqbd-ybcp-jybq | kernel: drm/amd/pm: fix null pointer access |
CVE-2025-38705
|
| VCID-gqr9-19jt-qfds | kernel: net: use dst_dev_rcu() in sk_setup_caps() |
CVE-2025-40170
|
| VCID-gr5s-rjhv-3kdw | kernel: lan966x: Fix sleeping in atomic context |
CVE-2025-68320
|
| VCID-gtjv-ut7g-hqhv | kernel: spi: tegra210-quad: Protect curr_xfer check in IRQ handler |
CVE-2026-23207
|
| VCID-gtzq-1g5y-tkh5 | kernel: nfsd: release svc_expkey/svc_export with rcu_work |
CVE-2024-53216
|
| VCID-gu84-p4ru-b7gj | kernel: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic |
CVE-2025-38627
|
| VCID-gv7r-71cz-e3cz | kernel: bus: mhi: ep: Update read pointer only after buffer is written |
CVE-2025-38429
|
| VCID-gvya-5wgk-j3cv | kernel: udf: refactor inode_bmap() to handle error |
CVE-2024-50211
|
| VCID-gyhz-a9pm-zqav | Linux privcmd driver can circumvent kernel lockdown |
CVE-2026-31788
|
| VCID-gyzx-musu-83c4 | kernel: btrfs: insert tree mod log move in push_node_left |
CVE-2023-53538
|
| VCID-h31q-rcq3-7ud3 | kernel: spi: fix use-after-free on controller registration failure |
CVE-2026-31389
|
| VCID-h3e8-fux5-3fe2 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled. |
CVE-2026-31393
|
| VCID-h5ks-h7t7-rqcz | kernel: fs/ntfs3: Check 'folio' pointer for NULL |
CVE-2024-38625
|
| VCID-h7pm-dyef-1fan |
CVE-2026-31409
|
|
| VCID-h7tb-d7q2-pqcr | kernel: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC |
CVE-2024-44942
|
| VCID-h8sj-qvv2-rydf | kernel: incorrect check for error case in the memory_tier_init |
CVE-2023-23005
|
| VCID-hbzk-b7gn-9bgz | kernel: riscv: save the SR_SUM status over switches |
CVE-2025-38261
|
| VCID-hfq2-r9mw-p3cp | kernel: btrfs: fix double accounting race when btrfs_run_delalloc_range() failed |
CVE-2024-58089
|
| VCID-hh8s-8fc8-pkgq | kernel: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase |
CVE-2026-23351
|
| VCID-hjf7-23wz-1qeg | kernel: net: mvpp2: guard flow control update with global_tx_fc in buffer switching |
CVE-2026-23438
|
| VCID-hmmv-61tn-nkc2 | kernel: mm: clear uffd-wp PTE/PMD state on mremap() |
CVE-2025-21696
|
| VCID-hpqq-mr4h-gbcj | In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs. fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ... Reproduction Steps: NETDEV="enp3s0" config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 } test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns } config_qdisc_route_filter test_ns sleep 2 test_ns |
CVE-2026-31469
|
| VCID-hq39-2qnw-v3dw | In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs. |
CVE-2026-31509
|
| VCID-htyr-jnu7-e3gf | kernel: drm/msm/dpu: Add mutex lock in control vblank irq |
CVE-2023-52586
|
| VCID-hu4f-e8qk-8fbz | kernel: fs: quota: create dedicated workqueue for quota_release_work |
CVE-2025-40196
|
| VCID-hucp-gu2u-97e1 | hw: amd: Instruction raise #VC exception at exit |
CVE-2024-25743
|
| VCID-huh6-94c8-rkad | kernel: x86/mce: use is_copy_from_user() to determine copy-from-user context |
CVE-2025-39989
|
| VCID-hv12-tgt6-rub5 | kernel: sched/deadline: Fix task_struct reference leak |
CVE-2024-41023
|
| VCID-hwat-fnmq-vydn | kernel: userfaultfd: fix checks for huge PMDs |
CVE-2024-46787
|
| VCID-hx57-qb6n-bfba | kernel: PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() |
CVE-2024-43824
|
| VCID-hxj2-cvvc-tqec | kernel: cgroup/cpuset: remove kernfs active break |
CVE-2025-21634
|
| VCID-j1um-9nym-muh4 | kernel: efi: Don't map the entire mokvar table to determine its size |
CVE-2025-21872
|
| VCID-j5zr-w83u-q7ds | kernel: perf: Fix hang while freeing sigtrap event |
CVE-2025-37747
|
| VCID-j7c3-n2w7-fbg4 | kernel: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode |
CVE-2025-38626
|
| VCID-j843-2qbk-tkcz | kernel: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD |
CVE-2024-26670
|
| VCID-j87e-taah-ubbv | kernel: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data |
CVE-2026-23370
|
| VCID-j8yy-3tn1-63b5 | kernel: ASoC: Intel: avs: Do not share the name pointer between components |
CVE-2025-40338
|
| VCID-j9s4-1dar-7qdb | kernel: Linux kernel blk-cgroup: Use-after-free vulnerability leading to denial of service |
CVE-2023-54107
|
| VCID-j9tf-d5qg-6fgq | kernel: gfs2: Fix unlikely race in gdlm_put_lock |
CVE-2025-40242
|
| VCID-jamx-hf6t-bfcd | kernel: Linux kernel: Denial of service and memory corruption in RDMA umad |
CVE-2026-23243
|
| VCID-jbs2-t7yr-rqh3 | kernel: pktgen: use cpus_read_lock() in pg_net_init() |
CVE-2024-46681
|
| VCID-jbyd-zxvz-mkf2 | kernel: bpf: check changes_pkt_data property for extension programs |
CVE-2024-58100
|
| VCID-jfhv-6svu-x3f6 | kernel: sfc: fix NULL dereferences in ef100_process_design_param() |
CVE-2025-37860
|
| VCID-jfrf-qe3s-gbax | kernel: drm/amd/display: Check stream_status before it is used |
CVE-2024-49893
|
| VCID-jgaw-mgbm-sfaf | kernel: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop |
CVE-2025-40180
|
| VCID-jgke-4yqg-s7g7 | kernel: drm/amd/display: Check null pointers before used |
CVE-2024-49921
|
| VCID-jhz4-z9f5-4ka3 | kernel: parisc: Avoid crash due to unaligned access in unwinder |
CVE-2025-68322
|
| VCID-jmqw-ffjj-fqb7 | kernel: drivers: perf: Check find_first_bit() return value |
CVE-2023-52797
|
| VCID-jtnv-mefv-qqff | kernel: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim |
CVE-2026-23319
|
| VCID-jupy-x3sh-vqcp | kernel: bpf: Remove tst_run from lwt_seg6local_prog_ops. |
CVE-2024-46754
|
| VCID-jvv4-j5x1-dbd6 | kernel: bpf: track changes_pkt_data property for global functions |
CVE-2024-58098
|
| VCID-jx72-vpup-p3gk | kernel: f2fs: fix potential deadloop in prepare_compress_overwrite() |
CVE-2025-22127
|
| VCID-jxkv-jbh3-9fhj | kernel: drm/amd/display: add null check |
CVE-2025-39762
|
| VCID-jz2j-4jqz-8fdg | kernel: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() |
CVE-2024-50217
|
| VCID-k1eg-sz6t-skg8 | kernel: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side |
CVE-2025-68304
|
| VCID-k1v3-945q-47eh | kernel: macvlan: observe an RCU grace period in macvlan_common_newlink() error path |
CVE-2026-23273
|
| VCID-k27q-9kcv-3fgh | kernel: f2fs: don't set RO when shutting down f2fs |
CVE-2024-40969
|
| VCID-k29n-spa9-uqdz | kernel: ethtool: fail closed if we can't get max channel used in indirection tables |
CVE-2024-46834
|
| VCID-k3bt-ws28-e3ex | kernel: smb: client: fix use-after-free in smb2_query_info_compound() |
CVE-2023-52751
|
| VCID-k48g-n4ka-fugh | kernel: nvme: apple: fix device reference counting |
CVE-2024-43913
|
| VCID-k68k-tnns-mkga | kernel: ipv4: start using dst_dev_rcu() |
CVE-2025-40074
|
| VCID-k9e5-ykzu-qyew | kernel: drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe |
CVE-2024-49914
|
| VCID-ka7q-cx4u-rkar | kernel: nvme-fabrics: use reserved tag for reg read/write command |
CVE-2024-41082
|
| VCID-kbc5-2ek1-gfbd | kernel: trace/fgraph: Fix the warning caused by missing unregister notifier |
CVE-2025-39829
|
| VCID-kcca-um99-4ugp | kernel: dlm: fix possible lkb_resource null dereference |
CVE-2024-47809
|
| VCID-kcmk-1zxh-2yhv | kernel: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs |
CVE-2026-23340
|
| VCID-kdf1-9mq7-2ue6 | kernel: i2c: lpi2c: Avoid calling clk_get_rate during transfer |
CVE-2024-40965
|
| VCID-kdmz-w6db-7ue2 | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against the total skb length as if the NDP were at offset 0, rather than at ndpoffset. When the NDP is placed near the end of the NTB (large wNdpIndex), the DPE entries can extend past the skb data buffer even though the check passes. cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating the DPE array. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. |
CVE-2026-23448
|
| VCID-kg8v-183b-33ce | kernel: rxrpc: Fix delayed ACKs to not set the reference serial number |
CVE-2024-26677
|
| VCID-kgsv-ke1m-xkg5 | kernel: LoongArch: Set hugetlb mmap base address aligned with pmd size |
CVE-2025-21949
|
| VCID-kgv3-f25s-ckd5 | kernel: Linux kernel KVM: Denial of Service due to uninitialized vCPU event handling |
CVE-2025-40102
|
| VCID-khrd-ya2n-rygv | kernel: net/sched: flower: Fix chain template offload |
CVE-2024-26669
|
| VCID-kj4q-41ch-2bdx | kernel: Linux kernel: uvcvideo Denial of Service from invalid UVC entity IDs |
CVE-2025-40016
|
| VCID-kjn8-9h7n-dfab | kernel: net: phy: phy_device: Prevent nullptr exceptions on ISR |
CVE-2024-35945
|
| VCID-kk4c-najx-kyhq | In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value. |
CVE-2026-31478
|
| VCID-kkmc-f6mq-xkfv | kernel: drm/msm/dp: Drop aux devices together with DP controller |
CVE-2023-53851
|
| VCID-kn25-f6gk-93fd | kernel: drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401 |
CVE-2024-43901
|
| VCID-kn32-aqhq-k7c5 | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access. |
CVE-2026-23434
|
| VCID-kns4-65da-v3bc | In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request. |
CVE-2026-31400
|
| VCID-kpkx-qwue-bff4 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0 |
CVE-2026-23458
|
| VCID-kptu-sm1d-kuae | kernel: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer |
CVE-2024-49919
|
| VCID-kpyj-qqha-1udx | kernel: bpf: Fail bpf_timer_cancel when callback is being cancelled |
CVE-2024-42239
|
| VCID-ktsr-nq3s-33gt | kernel: wifi: rtw88: Fix memory leak in rtw88_usb |
CVE-2023-53529
|
| VCID-kv4f-h7zy-2yhd | kernel: rxrpc: Fix recv-recv race of completed call |
CVE-2025-38524
|
| VCID-kvbv-df49-gyaj | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request. |
CVE-2026-31402
|
| VCID-kx5p-87fs-9kgw | kernel: drm/amdgpu: Add basic validation for RAS header |
CVE-2025-38426
|
| VCID-ky32-n1qj-nydf | kernel: hv_netvsc: Don't free decrypted memory |
CVE-2024-36911
|
| VCID-kye7-8mwh-eyc8 | kernel: bnxt: properly flush XDP redirect lists |
CVE-2025-38246
|
| VCID-kzsr-8hjr-gkf1 | kernel: drm/amd/display: Do not return negative stream id for array |
CVE-2024-42118
|
| VCID-m21d-1mj4-3bbn | kernel: drm/msm: Fix pgtable prealloc error path |
CVE-2025-40247
|
| VCID-m35k-ahnu-abh1 | kernel: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() |
CVE-2026-23450
|
| VCID-m3ch-q8dr-xkay | In the Linux kernel, the following vulnerability has been resolved: HID: asus: avoid memory leak in asus_report_fixup() The asus_report_fixup() function was returning a newly allocated kmemdup()-allocated buffer, but never freeing it. Switch to devm_kzalloc() to ensure the memory is managed and freed automatically when the device is removed. The caller of report_fixup() does not take ownership of the returned pointer, but it is permitted to return a pointer whose lifetime is at least that of the input buffer. Also fix a harmless out-of-bounds read by copying only the original descriptor size. |
CVE-2026-31524
|
| VCID-m4v3-xfhr-rbgt | kernel: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() |
CVE-2024-49926
|
| VCID-m4y2-16uk-wkdg | kernel: exfat: add cluster chain loop check for dir |
CVE-2025-38692
|
| VCID-m5bk-s7pe-cbd8 | kernel: drm/amd/display: Fix out-of-bound accesses |
CVE-2025-21985
|
| VCID-m6h1-8erq-dqb8 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources. Additionally, l2cap_parse_conf_req() does not validate the minimum value of remote_mps derived from the RFC max_pdu_size option. A zero value propagates to l2cap_segment_sdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory. Fix the double-init by skipping l2cap_ertm_init() and l2cap_chan_ready() when the channel is already in BT_CONNECTED state, while still allowing the reconfiguration parameters to be updated through l2cap_parse_conf_req(). Also add a pdu_len zero check in l2cap_segment_sdu() as a safeguard. |
CVE-2026-31498
|
| VCID-m6yv-nu11-ayg2 | kernel: drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue |
CVE-2024-26913
|
| VCID-m773-z76s-8qad | kernel: dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape |
CVE-2024-26962
|
| VCID-m7cd-jefr-4ydy | kernel: exfat: fix out-of-bounds access of directory entries |
CVE-2024-53147
|
| VCID-m8n7-j86u-7ugj | kernel: drm/amdkfd: range check cp bad op exception interrupts |
CVE-2024-36951
|
| VCID-m995-b8rn-tkgk | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. |
CVE-2026-23455
|
| VCID-madz-x835-s7cy | In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: avoid memory leak in magicmouse_report_fixup() The magicmouse_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. |
CVE-2026-31522
|
| VCID-mg8e-fpwg-rbg2 | kernel: RDMA/mlx5: Fix the recovery flow of the UMR QP |
CVE-2025-21892
|
| VCID-mgjc-55mm-kffq | kernel: mISDN: hfcpci: Fix warning when deleting uninitialized timer |
CVE-2025-39833
|
| VCID-mjbb-q1nx-8fgj | kernel: Linux kernel (iavf): Denial of Service due to a locking issue |
CVE-2025-38311
|
| VCID-mkjm-756w-5ygt | kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation |
CVE-2026-23270
|
| VCID-mkw6-9tye-x3fb | kernel: nf_tables: nft_dynset: fix possible stateful expression memleak in error path |
CVE-2026-23399
|
| VCID-mm1u-nfnt-nkaf | kernel: net: enetc: fix the deadlock of enetc_mdio_lock |
CVE-2025-40347
|
| VCID-mmsk-j6bt-wuh1 |
CVE-2026-23419
|
|
| VCID-mp87-833h-4uag | kernel: net: ibmveth: make veth_pool_store stop hanging |
CVE-2025-22053
|
| VCID-mrh8-akgh-ybby | kernel: btrfs: ensure no dirty metadata is written back for an fs with errors |
CVE-2025-40303
|
| VCID-mrj8-hhte-77a4 | kernel: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog |
CVE-2025-39859
|
| VCID-msbv-kmj8-b7e8 | kernel: nouveau: lock the client object tree. |
CVE-2024-27062
|
| VCID-mt8z-wdzf-kugb | kernel: f2fs: fix to avoid potential deadlock |
CVE-2025-71065
|
| VCID-mtxh-7f6h-t3g4 | kernel: HID: nintendo: avoid bluetooth suspend/resume stalls |
CVE-2025-38507
|
| VCID-mu3y-rdt2-x3g1 | kernel: net: hns3: don't auto enable misc vector |
CVE-2025-21651
|
| VCID-mwv3-k49q-tfeu | kernel: net: Fix icmp host relookup triggering ip_rt_bug |
CVE-2024-56647
|
| VCID-mzg4-exh3-pugu | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error: unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements. |
CVE-2026-31434
|
| VCID-mzw8-vbmv-6yay | kernel: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug |
CVE-2023-52629
|
| VCID-n127-8kq6-1kb6 | kernel: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW |
CVE-2024-57999
|
| VCID-n1tb-u9us-57bv | kernel: Kernel: Race condition in espintcp can lead to denial of service |
CVE-2026-23239
|
| VCID-n2ac-dtm2-sqa9 | kernel: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race |
CVE-2026-23271
|
| VCID-n2t8-afcr-sffj | kernel: bpf: Forget ranges when refining tnum after JSET |
CVE-2025-39748
|
| VCID-n4p8-dgkk-3bfr | kernel: udmabuf: change folios array from kmalloc to kvmalloc |
CVE-2024-56544
|
| VCID-n59e-jkf6-13bf | kernel: ntfs3 local privledge escalation if NTFS character set and remount and umount called simultaneously |
CVE-2022-3238
|
| VCID-n5aj-87mh-hbbd | kernel: drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy() |
CVE-2024-53056
|
| VCID-n7kt-3rsy-rkg2 | kernel: Linux kernel: Denial of Service in USB-audio MIDI driver due to improper timer shutdown |
CVE-2025-38105
|
| VCID-n7w6-5y7w-gbcd | kernel: ext4: avoid journaling sb update on error if journal is destroying |
CVE-2025-22113
|
| VCID-n88t-yc67-r3f5 | In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617. |
CVE-2026-31504
|
| VCID-n8y5-74xq-f7ft | kernel: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback |
CVE-2026-23324
|
| VCID-nbnz-q819-f7g8 | kernel: netfilter: nf_tables: avoid chain re-validation if possible |
CVE-2025-71160
|
| VCID-ncy9-6whk-ckep | kernel: ALSA: usb-audio: Prevent excessive number of frames |
CVE-2026-23208
|
| VCID-ner2-8g1r-6bh5 | kernel: serial: sc16is7xx: fix TX fifo corruption |
CVE-2024-44951
|
| VCID-nfcw-pgwv-37dr | kernel: smb: client: fix double free of TCP_Server_Info::hostname |
CVE-2025-21673
|
| VCID-nfg3-jgk3-z7bk | kernel: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none |
CVE-2023-53292
|
| VCID-ng2z-3hcf-9uh8 | kernel: net/mlx5e: Harden uplink netdev access against device unbind |
CVE-2025-39947
|
| VCID-nhry-edgk-sbd6 | kernel: smb: During unmount, ensure all cached dir instances drop their dentry |
CVE-2024-53176
|
| VCID-nnnt-9vn7-rfc1 | kernel: bpf: Fix accesses to uninit stack slots |
CVE-2023-52452
|
| VCID-np3t-m158-k7he | kernel: usb: typec: ucsi: Limit read size on v1.2 |
CVE-2024-35924
|
| VCID-nr6b-wdnx-k7e6 | kernel: RDMA/hns: Fix soft lockup under heavy CEQE load |
CVE-2024-43872
|
| VCID-nrff-k45r-y7bj | kernel: f2fs: fix race in concurrent f2fs_stop_gc_thread |
CVE-2024-53218
|
| VCID-ns6g-c2p2-myf5 | kernel: PCI: imx6: Fix suspend/resume support on i.MX6QDL |
CVE-2024-57809
|
| VCID-nsa2-qgf5-xffq | kernel: fsl/fman: Fix refcount handling of fman-related devices |
CVE-2024-50166
|
| VCID-nsbf-fkcw-cbed |
CVE-2026-31407
|
|
| VCID-ntqj-fmmb-b3g8 | kernel: md: Don't register sync_thread for reshape directly |
CVE-2024-26756
|
| VCID-nuhs-4sjq-dkcb | kernel: inet: frags: flush pending skbs in fqdir_pre_exit() |
CVE-2025-68768
|
| VCID-nv5d-ux4k-gbck | kernel: bonding: change ipsec_lock from spin lock to mutex |
CVE-2024-46678
|
| VCID-nv6q-r1kv-c7e3 | kernel: net/mlx5e: xsk: Fix crash on regular rq reactivation |
CVE-2023-53394
|
| VCID-nw3c-5apn-zfhv | kernel: net: fix segmentation of forwarding fraglist GRO |
CVE-2026-23154
|
| VCID-nwn5-d5f1-rkbr | kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() |
CVE-2024-40998
|
| VCID-p1cj-v8rw-rqf4 | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *. When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF] KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: <TASK> smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Kernel panic - not syncing: Fatal exception Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately. The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path. |
CVE-2026-31507
|
| VCID-p1cz-e94f-57c2 | kernel: crypto: x86/aegis - Add missing error checks |
CVE-2025-39789
|
| VCID-p2ng-3bek-d3b6 | kernel: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST |
CVE-2025-71267
|
| VCID-p31e-jzac-8kbe | kernel: scsi: ufs: core: Fix use-after free in init error and remove paths |
CVE-2025-21739
|
| VCID-p472-z1xz-r3cj | kernel: io_uring/kbuf: re-using old struct io_buffer_list may lead to a use-after-free situation |
CVE-2025-21836
|
| VCID-p47c-bn8d-6ka7 | kernel: LoongArch: KVM: Mark hrtimer to expire in hard interrupt context |
CVE-2024-53089
|
| VCID-p4as-tvvw-ubcu | kernel: drm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range |
CVE-2024-46808
|
| VCID-p4by-fm53-yybk |
CVE-2026-31425
|
|
| VCID-p4nk-v455-puaf | kernel: drm/amd/display: Check index for aux_rd_interval before using |
CVE-2024-46728
|
| VCID-p4p8-hzzp-ake1 | kernel: pmdomain: imx93-blk-ctrl: correct remove path |
CVE-2024-53134
|
| VCID-p595-1qtr-tuae | kernel: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled |
CVE-2026-23381
|
| VCID-p6sm-vcng-mubd | kernel: net: esp: fix bad handling of pages from page_pool |
CVE-2024-26953
|
| VCID-p72b-szhh-wyd6 | kernel: rxrpc: Make it so that a waiting process can be aborted |
CVE-2023-53218
|
| VCID-p9x5-syxd-fufc | kernel: io_uring/poll: fix multishot recv missing EOF on wakeup race |
CVE-2026-23473
|
| VCID-padk-1w3h-7bfs | kernel: cifs: fix memory leak in smb3_fs_context_parse_param error path |
CVE-2025-68219
|
| VCID-pbby-yjrv-23hc | kernel: media: vimc: skip .s_stream() for stopped entities |
CVE-2025-22028
|
| VCID-pd3f-rmqx-cya3 | kernel: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() |
CVE-2025-38585
|
| VCID-pepq-cqcb-dkdm | kernel: net: add xmit recursion limit to tunnel xmit functions |
CVE-2026-23276
|
| VCID-pg2a-j1hc-83hr | kernel: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg |
CVE-2024-49568
|
| VCID-pk74-dafk-e3gj | kernel: drm/amdgpu: change vm->task_info handling |
CVE-2024-41008
|
| VCID-pmn9-t8by-myhb | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. |
CVE-2026-31431
|
| VCID-pnfa-xm28-w3bk | kernel: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() |
CVE-2026-23304
|
| VCID-ppgp-v6th-y3ar | kernel: smb: client: Fix use-after-free of network namespace. |
CVE-2024-53095
|
| VCID-ppyy-4rvt-gydv | kernel: KVM: arm64: Check the untrusted offset in FF-A memory share |
CVE-2025-40266
|
| VCID-psqs-wgmf-57d8 | kernel: ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING" |
CVE-2025-37802
|
| VCID-ptyj-1y6d-dud1 | kernel: Linux kernel: Denial of Service via unsafe requeue in rxrpc_recvmsg |
CVE-2026-23066
|
| VCID-puhc-5h95-13ff | kernel: Kernel: Bluetooth HCI local DoS |
CVE-2024-58241
|
| VCID-pva7-b7rk-ykam |
CVE-2026-31410
|
|
| VCID-pwd1-juze-77bx | kernel: arm64: io: Extract user memory type in ioremap_prot() |
CVE-2026-23346
|
| VCID-pytf-9ehq-ykc5 | In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it. |
CVE-2026-31447
|
| VCID-q1ts-48c2-xkgb | kernel: l2tp: prevent possible tunnel refcount underflow |
CVE-2024-49940
|
| VCID-q2nc-hdcj-gfdm | kernel: btrfs: do not BUG_ON() when freeing tree block after error |
CVE-2024-44963
|
| VCID-q3hg-ug68-cffr | kernel: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data |
CVE-2025-68342
|
| VCID-q5ky-7fqu-efcs | kernel: kvm: s390: Reject memory region operations for ucontrol VMs |
CVE-2024-43819
|
| VCID-q7a3-cm2m-ayga | kernel: smc: Fix use-after-free in __pnet_find_base_ndev() |
CVE-2025-40064
|
| VCID-q7ty-xfyp-cbff | kernel: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY |
CVE-2025-37945
|
| VCID-q8p1-em5q-wuhw | kernel: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd |
CVE-2025-21969
|
| VCID-qa1s-pr21-cycs | kernel: Kernel: Denial of Service via DVB DVR ringbuffer reinitialization flaw |
CVE-2026-23253
|
| VCID-qdxg-kymb-mqdb | kernel: net: decrease cached dst counters in dst_release |
CVE-2025-22057
|
| VCID-qffu-7n92-bbhy | In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds. |
CVE-2026-23474
|
| VCID-qg8t-cx91-c7e3 | kernel: f2fs: fix to shrink read extent node in batches |
CVE-2024-41935
|
| VCID-qje4-3svy-5kg8 | kernel: net: stmmac: move the EST lock to struct stmmac_priv |
CVE-2024-38594
|
| VCID-qjqb-cqc9-17e1 | kernel: use-after-free in drivers/net/usb/lan78xx.c in lan78xx_disconnect |
CVE-2023-6039
|
| VCID-qjup-fvr1-xybc | kernel: ksmbd: add bounds check for durable handle context |
CVE-2025-22043
|
| VCID-qk2m-qzes-qfhu | kernel: leds: an30259a: Use devm_mutex_init() for mutex initialization |
CVE-2024-42128
|
| VCID-qmuk-1txu-z3da | kernel: Squashfs: check metadata block offset is within range |
CVE-2026-23388
|
| VCID-qsdm-cyzs-aufy |
CVE-2026-31414
|
|
| VCID-qucs-qaj4-q7cf | kernel: btrfs: zoned: fix use-after-free in do_zone_finish() |
CVE-2024-26944
|
| VCID-qweq-8dcb-x7eb | kernel: gfs2: Validate i_depth for exhash directories |
CVE-2025-38710
|
| VCID-qwre-yeev-uya8 | kernel: ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend |
CVE-2024-27057
|
| VCID-qx21-w7wn-tqap | kernel: f2fs: fix to do sanity check on node footer in {read,write}_end_io |
CVE-2026-23265
|
| VCID-qxd4-7ack-dkaf | kernel: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() |
CVE-2025-39910
|
| VCID-qxth-4ftd-s3ac | kernel: media: mediatek: vcodec: Only free buffer VA that is not NULL |
CVE-2023-52888
|
| VCID-qyu2-kw7b-1kg1 | kernel: riscv: VMAP_STACK overflow detection thread-safe |
CVE-2023-52761
|
| VCID-qyxy-uh9d-fqhr | kernel: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() |
CVE-2026-23335
|
| VCID-qzb2-2zd9-5kf4 | kernel: drm/amd/display: Disable DMCUB timeout for DCN35 |
CVE-2024-46870
|
| VCID-r23v-vjat-6qdk | kernel: ice: protect XDP configuration with a mutex |
CVE-2024-46765
|
| VCID-r4zk-9j6t-uyhg | kernel: Bluetooth: MGMT: Fix possible UAFs |
CVE-2025-39981
|
| VCID-r76g-d7px-hqff | kernel: net/sched: ets: fix divide by zero in the offload path |
CVE-2026-23379
|
| VCID-r7fp-rb7m-b7gs |
CVE-2026-31427
|
|
| VCID-r89h-js19-77dr | In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call. |
CVE-2026-31446
|
| VCID-r99q-4cst-dbem | kernel: md/raid1,raid10: don't ignore IO flags |
CVE-2025-22125
|
| VCID-rayk-m71k-pkd5 | kernel: drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw |
CVE-2024-49916
|
| VCID-rbua-nn9a-kfb9 | kernel: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP |
CVE-2023-54263
|
| VCID-rdch-b3ck-qugc | kernel: drm/amd/display: Fix hang/underflow when transitioning to ODM4:1 |
CVE-2023-52671
|
| VCID-rffh-vskt-b7ga | kernel: net/mlx5e: Remove skb secpath if xfrm state is not found |
CVE-2025-38590
|
| VCID-rh4e-sbew-nkbm | kernel: virtio: break and reset virtio devices on device_shutdown() |
CVE-2025-38064
|
| VCID-rjdd-dk1r-subd | kernel: blk-cgroup: hold queue_lock when removing blkg->q_node |
CVE-2023-54088
|
| VCID-rjgp-ta5t-vqge | kernel: xfrm: Duplicate SPI Handling |
CVE-2025-39797
|
| VCID-rjuh-7kkv-3qch | kernel: btrfs: do proper folio cleanup when cow_file_range() failed |
CVE-2024-57976
|
| VCID-rkqz-erqh-dfh4 | In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's inode marked as logged but we did not log its new dentries. As a consequence if the parent directory is explicitly fsynced later and it does not have any new changes since we logged it, the fsync is a no-op and after a power failure the new dentries are missing. Example scenario: $ mkdir foo $ sync $rmdir foo $ mkdir dir1 $ mkdir dir2 # A file with the same name and parent as the directory we just deleted # and was persisted in a past transaction. So the deleted directory's # inode is a conflicting inode of this new file's inode. $ touch foo $ ln foo dir2/link # The fsync on dir2 will log the parent directory (".") because the # conflicting inode (deleted directory) does not exists anymore, but it # it does not log its new dentries (dir1). $ xfs_io -c "fsync" dir2 # This fsync on the parent directory is no-op, since the previous fsync # logged it (but without logging its new dentries). $ xfs_io -c "fsync" . <power failure> # After log replay dir1 is missing. Fix this by ensuring we log new dir dentries whenever we log the parent directory of a no longer existing conflicting inode. A test case for fstests will follow soon. |
CVE-2026-23465
|
| VCID-rmuw-t9j1-sygw | kernel: blk-mq: fix potential deadlock while nr_requests grown |
CVE-2025-40146
|
| VCID-rq73-h79m-hqhy | kernel: ksmbd: Fix UAF in __close_file_table_ids |
CVE-2025-37952
|
| VCID-rrxa-r3j8-ubh3 | In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices. |
CVE-2026-31473
|
| VCID-rsz5-e5fc-syh2 | kernel: ax25: Remove broken autobind |
CVE-2025-22109
|
| VCID-rudf-s931-1qct | kernel: nvme-tcp: sanitize request list handling |
CVE-2025-38264
|
| VCID-rup3-z1qu-j3hr | kernel: thermal: core: Reference count the zone in thermal_zone_get_by_id() |
CVE-2024-50028
|
| VCID-rv7g-3bjt-qkgc | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released). Only set the wq type to NONE after its resources are released. |
CVE-2026-31441
|
| VCID-rw71-ued5-jfg4 | kernel: net: stmmac: Correctly handle Rx checksum offload errors |
CVE-2025-40337
|
| VCID-rwfc-mzfg-akft | kernel: pNFS: Fix a deadlock when returning a delegation during open() |
CVE-2026-23050
|
| VCID-rxej-y11f-tbca | kernel: bpf: Fix stackmap overflow check in __bpf_get_stackid() |
CVE-2025-68378
|
| VCID-rzvj-774t-cqf8 | kernel: drm/amdgpu: variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()' |
CVE-2024-26672
|
| VCID-s5k9-u1uk-3be8 | kernel: Linux kernel: Denial of Service in ublk due to deadlock when reading partition table |
CVE-2025-68823
|
| VCID-s9mp-wsn8-cycf | kernel: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory |
CVE-2025-40311
|
| VCID-sdwv-6ycc-9ubh | kernel: media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings |
CVE-2023-53336
|
| VCID-sjam-bp41-27f4 | kernel: net: usb: kalmia: validate USB endpoints |
CVE-2026-23365
|
| VCID-sk93-hxg5-yffv | kernel: erofs: handle overlapped pclusters out of crafted images properly |
CVE-2024-47736
|
| VCID-skjn-kete-x7e1 | kernel: net: stmmac: fix TSO DMA API usage causing oops |
CVE-2024-56719
|
| VCID-sm3v-84rs-nyem | In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 |
CVE-2026-23460
|
| VCID-sne8-13hq-mqan | kernel: netfilter: nf_tables: unconditionally bump set->nelems before insertion |
CVE-2026-23272
|
| VCID-spab-qnhh-vqap | kernel: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting |
CVE-2026-23287
|
| VCID-sq9c-y7kc-1yga | kernel: f2fs: fix null-ptr-deref in f2fs_submit_page_bio() |
CVE-2024-53221
|
| VCID-sqf7-4e8r-7ken | kernel: wifi: mac80211: fix NULL deref in mesh_matches_local() |
CVE-2026-23396
|
| VCID-st59-ndz1-1yc5 | kernel: f2fs: fix to do sanity check on node blkaddr in truncate_node() |
CVE-2024-56692
|
| VCID-stma-rnkr-c3ef | kernel: s390/pkey: Wipe copies of protected- and secure-keys |
CVE-2024-42155
|
| VCID-susc-ysbn-eqbn | kernel: RDMA/mlx5: Fix a WARN during dereg_mr for DM type |
CVE-2025-21888
|
| VCID-sv2x-sud7-9fcv | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332) |
CVE-2026-23468
|
| VCID-sv8j-57vx-9ubs | kernel: drm/amd/display: Ensure array index tg_inst won't be -1 |
CVE-2024-46730
|
| VCID-svm7-nyr5-kfa3 | kernel: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs |
CVE-2026-23286
|
| VCID-sy3c-f5q7-qygm | kernel: icmp: fix NULL pointer dereference in icmp_tag_validation() |
CVE-2026-23398
|
| VCID-syxu-a4az-qfe4 | kernel: block/rq_qos: protect rq_qos apis with a new lock |
CVE-2023-53823
|
| VCID-szdg-jd74-r7g1 | kernel: wifi: mac80211: don't WARN for connections on invalid channels |
CVE-2025-71227
|
| VCID-t2sv-vqq2-q7av | kernel: netfilter: nf_tables: always walk all pending catchall elements |
CVE-2026-23278
|
| VCID-t5y5-2hne-7keh | kernel: net: dsa: improve shutdown sequence |
CVE-2024-49998
|
| VCID-t5z7-w31u-j7gs | kernel: virtiofs: use pages instead of pointer for kernel direct IO |
CVE-2024-53219
|
| VCID-t644-dxrr-2qhp | kernel: LoongArch: BPF: Sign extend kfunc call arguments |
CVE-2025-71129
|
| VCID-t8we-jmxu-k3bf | kernel: sched/rt: Fix race in push_rt_task |
CVE-2025-38234
|
| VCID-t9de-4jgf-wuc7 | kernel: smb: Don't leak cfid when reconnect races with open_cached_dir |
CVE-2024-53178
|
| VCID-tb3q-ndrt-mkg3 | kernel: wifi: iwlwifi: read txq->read_ptr under lock |
CVE-2024-36922
|
| VCID-tc63-4q6e-nker | kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug |
CVE-2025-21693
|
| VCID-td5e-4c6y-cyc9 | kernel: net: usb: kaweth: validate USB endpoints |
CVE-2026-23312
|
| VCID-texr-5weq-v3dw |
CVE-2026-31424
|
|
| VCID-tfg7-cn7k-ffaj | kernel: drm/amd/display: Increase block_sequence array size |
CVE-2025-38080
|
| VCID-tgch-ns3e-qkhc | kernel: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC] |
CVE-2024-26768
|
| VCID-tnur-avf1-sybe | kernel: bpf: Call free_htab_elem() after htab_unlock_bucket() |
CVE-2024-56592
|
| VCID-tpyv-xst5-vyd6 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc"). |
CVE-2026-31496
|
| VCID-tsfh-mjd5-cuch | kernel: smb: client: fix potential UAF in smb2_close_cached_fid() |
CVE-2025-40328
|
| VCID-tsp7-ggzj-gud7 | kernel: ASoC: qcom: Fix uninitialized pointer dmactl |
CVE-2024-26799
|
| VCID-tspb-2q9s-u3d6 | kernel: iommu/vt-d: Use device rbtree in iopf reporting path |
CVE-2024-35843
|
| VCID-tt18-fh9r-57c9 | kernel: nfc: nci: free skb on nci_transceive early error paths |
CVE-2026-23339
|
| VCID-ttde-y49k-eqdw | kernel: exfat: validate cluster allocation bits of the allocation bitmap |
CVE-2025-40307
|
| VCID-tu5g-jnzs-33d4 | In the Linux kernel, the following vulnerability has been resolved: spi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1] Also note that we do not enable the driver_override feature of struct bus_type, as SPI - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". |
CVE-2026-31487
|
| VCID-tusw-jz3p-y3d5 | kernel: ksmbd: fix use-after-free in smb_break_all_levII_oplock() |
CVE-2025-37776
|
| VCID-tyvp-9xvj-7uax | kernel: drm/amd/display: Prevent crash when disable stream |
CVE-2024-35799
|
| VCID-tzdq-wy6d-xbbx | kernel: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry |
CVE-2026-23361
|
| VCID-u28n-uwtv-tyaj | kernel: netfilter: IDLETIMER: Fix for possible ABBA deadlock |
CVE-2024-54683
|
| VCID-u2dn-mnr7-m3hy | kernel: s390/ism: fix concurrency management in ism_cmd() |
CVE-2025-39726
|
| VCID-u58e-6ztz-5bcx | kernel: f2fs: fix to avoid overflow while left shift operation |
CVE-2025-40077
|
| VCID-u6nn-wr8u-qqdj | kernel: Linux kernel: Use-after-free in bonding module can cause system crash or arbitrary code execution |
CVE-2026-23171
|
| VCID-u892-96zg-9ke6 | In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, "[fd00::2]:8888") bind(fd3, "[fd00::3]:8888") bind(fd4, "[fd00::4]:8888") bind(fd5, "[fd00::5]:8888") bind(fd6, "[fd00::6]:8888") bind(fd7, "[fd00::7]:8888") bind(fd8, "[fd00::8]:8888") bind(fd9, "[fd00::9]:8888") bind(fd10, "[fd00::10]:8888") /* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */ bind(fail_fd, "[::]:8888") /* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */ bind(fd11, "[fd00::11]:8888") bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */ The same issue applies to the IPv4 wildcard address "0.0.0.0" and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For example, if there are existing sockets bound to "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or "[::ffff:0.0.0.0]:8888" can also miss the conflict when hslot->count > 10. TCP inet_csk_get_port() already has the correct check in inet_use_bhash2_on_bind(). Rename it to inet_use_hash2_on_bind() and move it to inet_hashtables.h so udp.c can reuse it in this fix. |
CVE-2026-31503
|
| VCID-u8gh-ber8-q3dw | kernel: drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs |
CVE-2024-49901
|
| VCID-ub6v-8wt6-5fbg | kernel: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 |
CVE-2025-21831
|
| VCID-ub6v-vb3r-83eh | kernel: x86/efi: defer freeing of boot services memory |
CVE-2026-23352
|
| VCID-ubtn-8mb7-huef | kernel: Input: lkkbd - disable pending work before freeing device |
CVE-2025-71073
|
| VCID-ubuz-ts2u-ufem | kernel: rcu: Fix rcu_read_unlock() deadloop due to IRQ work |
CVE-2025-39744
|
| VCID-ubyx-g9qc-x7dk | kernel: net/sched: Fix mirred deadlock on device recursion |
CVE-2024-27010
|
| VCID-ucab-wj54-hyey | kernel: Linux kernel: Local denial of service in device mapper |
CVE-2025-38140
|
| VCID-udny-3t6r-fyhn | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent immediate PASID reuse case PASID resue could cause interrupt issue when process immediately runs into hw state left by previous process exited with the same PASID, it's possible that page faults are still pending in the IH ring buffer when the process exits and frees up its PASID. To prevent the case, it uses idr cyclic allocator same as kernel pid's. (cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d) |
CVE-2026-31462
|
| VCID-uem4-47we-qua4 | kernel: f2fs: fix to cover read extent cache access with lock |
CVE-2024-44941
|
| VCID-ug16-p9vj-57e7 | kernel: RDMA/hns: Fix double destruction of rsv_qp |
CVE-2025-38582
|
| VCID-ug5j-gaab-kuag | kernel: cxl/port: Fix use-after-free, permit out-of-order decoder shutdown |
CVE-2024-50226
|
| VCID-uh94-5nuu-w7fd | kernel: parisc: Try to fix random segmentation faults in package builds |
CVE-2024-40918
|
| VCID-uhng-dru9-7yht | In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants |
CVE-2026-23446
|
| VCID-ukr2-rp6y-rkf1 | kernel: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels |
CVE-2026-23274
|
| VCID-umyr-w4sv-gkgd | kernel: pinmux: Use sequential access to access desc->pinmux data |
CVE-2024-47141
|
| VCID-upcd-ngpy-ekeu |
CVE-2026-31411
|
|
| VCID-uvyu-va81-wbgj | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE (14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count. - CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with CTA_FILTER_F_ALL, removing the manual mask checks. - CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding a new mask define grouping all valid expect flags. Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree. |
CVE-2026-31495
|
| VCID-uzfu-ke47-1qaq |
CVE-2026-23426
|
|
| VCID-uzsb-9yx8-kua1 | kernel: wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() |
CVE-2025-39732
|
| VCID-v1ka-ynm7-q3cw | kernel: drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2) |
CVE-2024-49908
|
| VCID-v2rb-s1g7-1ub4 | In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage. |
CVE-2026-31403
|
| VCID-v2y7-vmt3-w3dq | kernel: ksmbd: vfs: fix race on m_flags in vfs_cache |
CVE-2025-68809
|
| VCID-v3ba-uvsy-ybfv | kernel: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() |
CVE-2025-71221
|
| VCID-v3m5-xj2s-5yef | kernel: s390/mm: Fix in_atomic() handling in do_secure_storage_access() |
CVE-2025-38359
|
| VCID-v41b-jva8-u7at | kernel: afs: Fix lock recursion |
CVE-2024-53090
|
| VCID-v4ds-msgy-m3bv | kernel: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() |
CVE-2025-22115
|
| VCID-v893-rr8x-nyay | kernel: btrfs: send: check for inline extents in range_is_hole_in_parent() |
CVE-2026-23141
|
| VCID-v8xr-k446-8uar | kernel: Linux kernel: Denial of Service due to race condition in fbcon setup |
CVE-2025-68296
|
| VCID-v9bm-48ec-9fc2 | kernel: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown |
CVE-2026-23454
|
| VCID-v9p4-t339-t3g4 | kernel: net: dsa: properly keep track of conduit reference |
CVE-2025-71152
|
| VCID-vaaz-21uq-gbc8 | kernel: interconnect: Fix locking for runpm vs reclaim |
CVE-2023-54013
|
| VCID-vccj-gtv8-kug3 | kernel: bpf: Fix stack-out-of-bounds write in devmap |
CVE-2026-23359
|
| VCID-vck1-emav-93gc | kernel: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger |
CVE-2024-38630
|
| VCID-vdnv-8h83-7kfs | kernel: ipv6: use RCU in ip6_xmit() |
CVE-2025-40135
|
| VCID-vejg-5n4z-c7e8 | kernel: arm64: mm: fix VA-range sanity check |
CVE-2023-53989
|
| VCID-vfxs-5p9x-5kcx | kernel: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync |
CVE-2024-50029
|
| VCID-vgze-rbc5-bbc6 | kernel: netfilter: xt_CT: drop pending enqueued packets on template removal |
CVE-2026-23391
|
| VCID-vm3p-zgmr-13gw | kernel: drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box |
CVE-2024-46811
|
| VCID-vmts-4etq-hqh7 | kernel: gfs2: Fix potential glock use-after-free on unmount |
CVE-2024-38570
|
| VCID-vmvf-81ex-yug4 | kernel: nvme-rdma: unquiesce admin_q before destroy it |
CVE-2024-49569
|
| VCID-vqmu-xn3y-e3gc | kernel: io_uring/net: don't overflow multishot recv |
CVE-2023-54030
|
| VCID-vrfu-1kn8-x3be | kernel: mm: memory-failure: update ttu flag inside unmap_poisoned_folio |
CVE-2025-21907
|
| VCID-vrz9-k2a3-4uep | kernel: scsi: hisi_sas: Create all dump files during debugfs initialization |
CVE-2024-56588
|
| VCID-vsyg-x46t-ayhz | kernel: net/sched: cls_u32: use skb_header_pointer_careful() |
CVE-2026-23204
|
| VCID-vt3e-tx5j-b7aq | kernel: reiserfs: Avoid touching renamed directory if parent does not change |
CVE-2023-52591
|
| VCID-vtwb-e5mq-6bgq | kernel: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit |
CVE-2026-23277
|
| VCID-vw6j-sby6-dbh3 | In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated--- |
CVE-2026-23449
|
| VCID-vwmn-w6tb-sudq | kernel: Linux kernel: Denial of Service in amd-pstate cpufreq driver via deadlock |
CVE-2025-38038
|
| VCID-vwnc-y4ve-nkhv | kernel: drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() |
CVE-2024-45015
|
| VCID-vxys-jj3n-n7gz | kernel: eth: bnxt: fix truesize for mb-xdp-pass case |
CVE-2025-21961
|
| VCID-vysr-bztb-yugx | kernel: i40e: remove read access to debugfs files |
CVE-2025-39901
|
| VCID-vz1n-7fbk-kyag | kernel: f2fs: fix to detect potential corrupted nid in free_nid_list |
CVE-2025-68315
|
| VCID-vz73-y2va-5kbw | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only. |
CVE-2026-23447
|
| VCID-vzkt-5648-ukh7 |
CVE-2026-31415
|
|
| VCID-w1sf-m294-jke8 | kernel: fbdev: hyperv_fb: Allow graceful removal of framebuffer |
CVE-2025-21976
|
| VCID-w4d7-nppw-pye9 | kernel: scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set |
CVE-2025-37977
|
| VCID-w4u7-5ke3-57a7 | kernel: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled |
CVE-2025-38039
|
| VCID-w53c-hafw-6kbb | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint(). |
CVE-2026-23456
|
| VCID-w71f-nskm-nyau | kernel: udmabuf: fix memory leak on last export_udmabuf() error path |
CVE-2024-56712
|
| VCID-w8r5-decj-vkem | kernel: io_uring: prevent opcode speculation |
CVE-2025-21863
|
| VCID-wanj-gu4w-2qaz | kernel: padata: Fix pd UAF once and for all |
CVE-2025-38584
|
| VCID-wax6-n8k7-9fab | kernel: ksmbd: prevent rename with empty string |
CVE-2025-37956
|
| VCID-wc4k-86v7-ykh7 | kernel: accel/habanalabs: fix mem leak in capture user mappings |
CVE-2023-53367
|
| VCID-wcu7-me4d-bugc | kernel: ksmbd: add chann_lock to protect ksmbd_chann_list xarray |
CVE-2026-23226
|
| VCID-wd2z-jnpt-3bd3 | kernel: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() |
CVE-2024-47691
|
| VCID-wjeh-m3f2-tkbg | kernel: wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode |
CVE-2024-58096
|
| VCID-wk3t-3jvn-quf1 | kernel: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() |
CVE-2025-38237
|
| VCID-wkqf-ex7a-73ft | kernel: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses |
CVE-2024-26947
|
| VCID-wnh7-18vz-vbgn | kernel: drm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func |
CVE-2024-49910
|
| VCID-wq4h-q7vt-23ex | In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free. The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add(). |
CVE-2026-31399
|
| VCID-wstb-4k78-gufv | kernel: drm/bridge: adv7511: fix crash on irq during probe |
CVE-2024-26876
|
| VCID-wtcb-jzbu-fkcn | In the Linux kernel, the following vulnerability has been resolved: s390/syscalls: Add spectre boundary for syscall dispatch table The s390 syscall number is directly controlled by userspace, but does not have an array_index_nospec() boundary to prevent access past the syscall function pointer tables. |
CVE-2026-31483
|
| VCID-wv35-ucjn-3bb5 | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline] |
CVE-2026-31448
|
| VCID-wvp8-cst3-cuhr | kernel: xfrm: state: fix out-of-bounds read during lookup |
CVE-2024-57982
|
| VCID-wwax-w4gg-cuhy | kernel: functionfs: fix the open/removal races |
CVE-2025-71074
|
| VCID-wxx7-3a43-h7gh |
CVE-2026-31408
|
|
| VCID-wzkm-rtcg-cbdu | kernel: media: mediatek: vcodec: Fix H264 stateless decoder smatch warning |
CVE-2024-47752
|
| VCID-x1m4-hf24-27hq | kernel: scsi: target: Fix recursive locking in __configfs_open_file() |
CVE-2026-23292
|
| VCID-x226-2yqa-uuhv | kernel: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain |
CVE-2024-35942
|
| VCID-x245-d866-nkff | kernel: ksmbd: prevent connection release during oplock break notification |
CVE-2025-21955
|
| VCID-x5jd-ruv2-1qac |
CVE-2026-31428
|
|
| VCID-x5y6-u3c8-3qbe | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Multiple sysfs command paths dereference contexts_arr[0] without first verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to 0 via sysfs while DAMON is running, causing NULL pointer dereferences. In more detail, the issue can be triggered by privileged users like below. First, start DAMON and make contexts directory empty (kdamond->contexts->nr == 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contexts Then, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > state Guard all commands (except OFF) at the entry point of damon_sysfs_handle_cmd(). |
CVE-2026-31458
|
| VCID-x6kd-y436-nbaw | kernel: wifi: rtw88: usb: schedule rx work after everything is set up |
CVE-2024-46760
|
| VCID-x9a9-thjn-yya5 | In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid. |
CVE-2026-31454
|
| VCID-xafq-y8ca-hkhe | kernel: rv: Use strings in da monitors tracepoints |
CVE-2025-38636
|
| VCID-xag6-3jdm-bqha | kernel: fs/ntfs3: Keep write operations atomic |
CVE-2025-37806
|
| VCID-xb4p-ngcu-m3by | kernel: tpm: Lock TPM chip in tpm_pm_suspend() first |
CVE-2024-53085
|
| VCID-xbra-jtwd-6bhf | kernel: wifi: rtw88: fix memory leak in rtw_usb_probe() |
CVE-2023-53460
|
| VCID-xc83-2865-7bgz | kernel: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers |
CVE-2025-21885
|
| VCID-xd76-s5yw-fyaq | kernel: drm/amdgpu: unmap and remove csa_va properly |
CVE-2023-53545
|
| VCID-xdde-euh1-dqfv | kernel: spi: cadence-quadspi: Implement refcount to handle unbind during busy |
CVE-2025-40005
|
| VCID-xf8w-1v5k-nyf7 | kernel: tcp_metrics: use dst_dev_net_rcu() |
CVE-2025-40075
|
| VCID-xh1w-u484-dbet | In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call stack, as follows: f2fs_submit_read_io submit_bio //bio_list is initialized. mmc_blk_mq_recovery z_erofs_endio vm_map_ram __pte_alloc_kernel __alloc_pages_direct_reclaim shrink_folio_list __swap_writepage submit_bio_wait //bio_list is non-NULL, hang!!! Use memalloc_noio_{save,restore}() to wrap up this path. |
CVE-2026-31467
|
| VCID-xh6y-ja9y-u3es | kernel: net: mctp: unshare packets when reassembling |
CVE-2025-21972
|
| VCID-xhfy-gkwq-afbr | kernel: wifi: libertas: fix use-after-free in lbs_free_adapter() |
CVE-2026-23281
|
| VCID-xncx-nvr7-k7d8 | kernel: x86/mm/ident_map: Use gbpages only where full GB page should be mapped. |
CVE-2024-50017
|
| VCID-xp23-rfjr-2ydv | kernel: bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() |
CVE-2025-39886
|
| VCID-xqpe-25bd-vygx |
CVE-2026-23401
|
|
| VCID-xs4a-ha3z-2bej | kernel: tracing: Add recursion protection in kernel stack trace recording |
CVE-2026-23138
|
| VCID-xxe5-3ae2-vygt | kernel: cxl/port: Fix delete_endpoint() vs parent unregistration race |
CVE-2023-52771
|
| VCID-xxhg-up2k-yyhv | kernel: drm/amd/display: Implement bounds check for stream encoder creation in DCN401 |
CVE-2024-49970
|
| VCID-xyds-k35a-2yf2 | kernel: net: dsa: clean up FDB, MDB, VLAN entries on unbind |
CVE-2025-37864
|
| VCID-xzc2-9tmc-7qey | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260 |
CVE-2026-31500
|
| VCID-y13n-jhsr-ryd2 | kernel: mm/vmscan: don't try to reclaim hwpoison folio |
CVE-2025-37834
|
| VCID-y3wu-za9p-yub1 | kernel: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() |
CVE-2025-21927
|
| VCID-y439-52f2-rfck | kernel: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop |
CVE-2026-23300
|
| VCID-y4w2-qru6-p3g4 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ``` |
CVE-2026-31392
|
| VCID-y5bm-2fr5-8bbp | kernel: net: dsa: b53: do not enable EEE on bcm63xx |
CVE-2025-38272
|
| VCID-y5ds-5mpf-u3hz | kernel: ext4: avoid deadlock in fs reclaim with page writeback |
CVE-2023-53149
|
| VCID-y6kc-guf2-bqdz | kernel: soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove |
CVE-2024-43850
|
| VCID-y7wh-qssq-cbg1 | kernel: drm/amd/display: Check null pointers before multiple uses |
CVE-2024-49920
|
| VCID-ya16-qrwm-kkfs | kernel: Linux kernel: Denial of Service via NULL pointer dereference in blk-cgroup |
CVE-2023-54271
|
| VCID-yaz4-szyc-afg8 | kernel: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free |
CVE-2026-23227
|
| VCID-ycev-sqxs-13da | kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial of service |
CVE-2025-38206
|
| VCID-yehk-tjrt-rbbe | kernel: dm-verity: disable recursive forward error correction |
CVE-2025-71161
|
| VCID-yeww-6ybr-qye8 | kernel: f2fs: fix infinite loop in __insert_extent_tree() |
CVE-2025-40333
|
| VCID-yf6e-3aw3-tqeg | kernel: net: clear the dst when changing skb protocol |
CVE-2025-38192
|
| VCID-yhft-bm7y-jfde | kernel: mm/slub: Avoid list corruption when removing a slab from the full list |
CVE-2024-56566
|
| VCID-yj28-va7b-3ug8 | kernel: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels |
CVE-2025-21768
|
| VCID-yj3z-hvs9-47hj | In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 |
CVE-2026-23452
|
| VCID-yp8m-zttt-ffdt | kernel: Linux kernel: Denial of service due to a race condition in the TLS subsystem |
CVE-2026-23240
|
| VCID-ypt7-tc1u-p3ev | kernel: btrfs: avoid NULL pointer dereference if no valid csum tree |
CVE-2025-38059
|
| VCID-yq9b-dpsh-cuhy | kernel: drm/amd/display: Disable idle reallow as part of command/gpint execution |
CVE-2024-36024
|
| VCID-yqcj-27j2-tqb8 |
CVE-2026-31419
|
|
| VCID-yr2z-pe4g-8yhu | kernel: nfc: rawsock: cancel tx_work before socket teardown |
CVE-2026-23372
|
| VCID-yr96-2nha-xbed | kernel: can: gs_usb: fix time stamp counter initialization |
CVE-2023-53523
|
| VCID-yrgr-2c4c-3fgq | kernel: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx |
CVE-2024-53091
|
| VCID-ytcn-fxjj-efhj | kernel: selinux: avoid dereference of garbage after mount failure |
CVE-2024-35904
|
| VCID-ytfc-yqtw-4yhb | kernel: bridge: cfm: Fix race condition in peer_mep deletion |
CVE-2026-23393
|
| VCID-yx1f-r3sr-rues | In the Linux kernel, the following vulnerability has been resolved: ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Replace BUG_ON() with proper error handling when inline data size exceeds PAGE_SIZE. This prevents kernel panic and allows the system to continue running while properly reporting the filesystem corruption. The error is logged via ext4_error_inode(), the buffer head is released to prevent memory leak, and -EFSCORRUPTED is returned to indicate filesystem corruption. |
CVE-2026-31451
|
| VCID-yx9t-1w27-akec | kernel: btrfs: reject new transactions if the fs is fully read-only |
CVE-2026-23214
|
| VCID-yzsh-2rk2-5yhq | kernel: RDMA/siw: Remove direct link to net_device |
CVE-2024-57857
|
| VCID-z18v-yptf-7fhp | kernel: Linux kernel: Denial of Service in kTLS due to race condition in receive path |
CVE-2025-38616
|
| VCID-z1gu-rwfd-7yfa | kernel: f2fs: fix UAF issue in f2fs_merge_page_bio() |
CVE-2025-40054
|
| VCID-z24p-wtzg-a3gh | kernel: md: Don't ignore read-only array in md_check_recovery() |
CVE-2024-26757
|
| VCID-z3qs-q6ce-aqbc | kernel: s390/pkey: Wipe copies of clear-key structures on failure |
CVE-2024-42156
|
| VCID-z423-786s-hyd2 | kernel: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition |
CVE-2024-57984
|
| VCID-z4xx-msk4-k7bz | kernel: xen/events: Return -EEXIST for bound VIRQs |
CVE-2025-40160
|
| VCID-z4yz-sjm9-3ke4 | kernel: f2fs: fix to drop all discards after creating snapshot on lvm device |
CVE-2024-56565
|
| VCID-z6xa-pf4r-4kbm | In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix folio isn't locked in softleaf_to_folio() On arm64 server, we found folio that get from migration entry isn't locked in softleaf_to_folio(). This issue triggers when mTHP splitting and zap_nonpresent_ptes() races, and the root cause is lack of memory barrier in softleaf_to_folio(). The race is as follows: CPU0 CPU1 deferred_split_scan() zap_nonpresent_ptes() lock folio split_folio() unmap_folio() change ptes to migration entries __split_folio_to_order() softleaf_to_folio() set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry)) smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio)) prep_compound_page() for tail pages In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages are visible before the tail page becomes non-compound. smp_wmb() should be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a result, if zap_nonpresent_ptes() accesses migration entry that stores tail pfn, softleaf_to_folio() may see the updated compound_head of tail page before page->flags. This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio() because of the race between folio split and zap_nonpresent_ptes() leading to a folio incorrectly undergoing modification without a folio lock being held. This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further swapops predicates"), which in merged in v6.19-rc1. To fix it, add missing smp_rmb() if the softleaf entry is migration entry in softleaf_to_folio() and softleaf_to_page(). [tujinjiang@huawei.com: update function name and comments] |
CVE-2026-31466
|
| VCID-z711-tvkz-9qa4 | kernel: bonding: check xdp prog when set bond mode |
CVE-2025-22105
|
| VCID-z767-vnpz-37g8 | kernel: drm/amdgpu: Fix the warning division or modulo by zero |
CVE-2024-46806
|
| VCID-z9yn-4b8y-t3er | kernel: SUNRPC: fix a memleak in gss_import_v2_context |
CVE-2023-52653
|
| VCID-zamd-w45x-e3g5 | kernel: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker |
CVE-2024-57888
|
| VCID-zh6a-z135-ayeg | kernel: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup |
CVE-2024-27408
|
| VCID-zhaf-5de2-tycd | In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 </TASK> Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl ---truncated--- |
CVE-2026-31396
|
| VCID-zrf8-efng-gfd9 | kernel: drm/amd/display: fix incorrect mpc_combine array size |
CVE-2024-26914
|
| VCID-zs1j-hpbv-7qbz | kernel: ibmvnic: Use kernel helpers for hex dumps |
CVE-2025-22104
|
| VCID-zufu-pwxh-eqbw | kernel: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops |
CVE-2025-38069
|
| VCID-zvp5-zhsh-9qap | kernel: ntfs: set dummy blocksize to read boot_block when mounting |
CVE-2025-71067
|
| VCID-zx9u-zu1f-gbf2 | kernel: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM |
CVE-2024-56611
|
| VCID-zxmw-r6pn-6fdt | kernel: scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list |
CVE-2023-53627
|
| VCID-zyme-v3xf-3kah | kernel: scsi: mpi3mr: Fix possible crash when setting up bsg fails |
CVE-2025-21723
|