Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-53085

Summary
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At-24 Jun, 2026 | 16:30
Updated At-30 Jun, 2026 | 12:09
Rejected At-
Credits

bpf: fix mm lifecycle in open-coded task_vma iterator

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Linux
Assigner Org ID:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:24 Jun, 2026 | 16:30
Updated At:30 Jun, 2026 | 12:09
Rejected At:
▼CVE Numbering Authority (CNA)
bpf: fix mm lifecycle in open-coded task_vma iterator

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • kernel/bpf/task_iter.c
Default Status
unaffected
Versions
Affected
  • From 4ac4546821584736798aaa9e97da9f6eaf689ea3 before 239cec25a22662dbd80f57d94b38178c8be95269 (git)
  • From 4ac4546821584736798aaa9e97da9f6eaf689ea3 before d0862de7c866c5bd7c32531f66738c21197af888 (git)
  • From 4ac4546821584736798aaa9e97da9f6eaf689ea3 before 43683bb280330f3d36f0f2a3932a4867b9603e9c (git)
  • From 4ac4546821584736798aaa9e97da9f6eaf689ea3 before d8e27d2d22b6e2df3a0125b8c08e9aace38c954c (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • kernel/bpf/task_iter.c
Default Status
affected
Versions
Affected
  • 6.7
Unaffected
  • From 0 before 6.7 (semver)
  • From 6.12.91 through 6.12.* (semver)
  • From 6.18.33 through 6.18.* (semver)
  • From 7.0.10 through 7.0.* (semver)
  • From 7.1 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269
N/A
https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888
N/A
https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c
N/A
https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c
N/A
Hyperlink: https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c
Resource: N/A
▼Authorized Data Publishers (ADP)
kernel: bpf: fix mm lifecycle in open-coded task_vma iterator

A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) subsystem. This use-after-free vulnerability occurs when the `task_vma` iterator reads task memory without properly acquiring a reference, allowing the memory structure to be freed concurrently while still in use. This can lead to system instability or a denial of service (DoS). Additionally, improper handling of interrupt-disabled contexts could result in a deadlock.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 6
CPEs
  • cpe:/o:redhat:enterprise_linux:6
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 7
CPEs
  • cpe:/o:redhat:enterprise_linux:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-825Expired Pointer Dereference
Type: CWE
CWE ID: CWE-825
Description: Expired Pointer Dereference
Metrics
VersionBase scoreBase severityVector
3.17.0HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-06-24 00:00:00
Made public.2026-06-24 00:00:00
Event: Reported to Red Hat.
Date: 2026-06-24 00:00:00
Event: Made public.
Date: 2026-06-24 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-53085
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2492404
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-53085
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492404
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json
Resource:
x_sadp-csaf-vex
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:24 Jun, 2026 | 17:17
Updated At:30 Jun, 2026 | 03:20

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.0HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-825Secondary0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE ID: CWE-825
Type: Secondary
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://access.redhat.com/security/cve/CVE-2026-530850b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=24924040b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json0b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
Hyperlink: https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-53085
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492404
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2473Records found

CVE-2026-52976
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 2.84%
||
7 Day CHG-0.05%
Published-24 Jun, 2026 | 16:28
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Two error handling issues exist in xe_exec_queue_create_ioctl(): 1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed. 2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free. Fix both by: - Changing the xe_hw_engine_group_add_exec_queue() failure path to jump to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list. - Adding a del_hw_engine_group label before kill_exec_queue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup. (cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-5165
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.11% / 1.47%
||
7 Day CHG~0.00%
Published-30 Mar, 2026 | 15:02
Updated-28 Apr, 2026 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Virtio-win: virtio-win: memory corruption via use-after-free in virtio blk device reset

A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior.

Action-Not Available
Vendor-Red Hat, Inc.
Product-virtio-winenterprise_linuxRed Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Enterprise Linux 9
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-52973
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 2.84%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 16:28
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
futex: Drop CLONE_THREAD requirement for private default hash alloc

In the Linux kernel, the following vulnerability has been resolved: futex: Drop CLONE_THREAD requirement for private default hash alloc Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie: BUG: KASAN: slab-use-after-free in futex_hash_put ... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at. Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_VM.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-53033
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.04%
||
7 Day CHG-0.05%
Published-24 Jun, 2026 | 16:29
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bpf, sockmap: Take state lock for af_unix iter

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Take state lock for af_unix iter When a BPF iterator program updates a sockmap, there is a race condition in unix_stream_bpf_update_proto() where the `peer` pointer can become stale[1] during a state transition TCP_ESTABLISHED -> TCP_CLOSE. CPU0 bpf CPU1 close -------- ---------- // unix_stream_bpf_update_proto() sk_pair = unix_peer(sk) if (unlikely(!sk_pair)) return -EINVAL; // unix_release_sock() skpair = unix_peer(sk); unix_peer(sk) = NULL; sock_put(skpair) sock_hold(sk_pair) // UaF More practically, this fix guarantees that the iterator program is consistently provided with a unix socket that remains stable during iterator execution. [1]: BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490 Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231 Call Trace: dump_stack_lvl+0x5d/0x80 print_report+0x170/0x4f3 kasan_report+0xe4/0x1c0 kasan_check_range+0x125/0x200 unix_stream_bpf_update_proto+0x155/0x490 sock_map_link+0x71c/0xec0 sock_map_update_common+0xbc/0x600 sock_map_update_elem+0x19a/0x1f0 bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217 bpf_iter_run_prog+0x21e/0xae0 bpf_iter_unix_seq_show+0x1e0/0x2a0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x63/0x80 kmem_cache_alloc_noprof+0x1d5/0x680 sk_prot_alloc+0x59/0x210 sk_alloc+0x34/0x470 unix_create1+0x86/0x8a0 unix_stream_connect+0x318/0x15b0 __sys_connect+0xfd/0x130 __x64_sys_connect+0x72/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x47/0x70 kmem_cache_free+0x11c/0x590 __sk_destruct+0x432/0x6e0 unix_release_sock+0x9b3/0xf60 unix_release+0x8a/0xf0 __sock_release+0xb0/0x270 sock_close+0x18/0x20 __fput+0x36e/0xac0 fput_close_sync+0xe5/0x1a0 __x64_sys_close+0x7d/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-46243
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.35% / 27.30%
||
7 Day CHG+0.04%
Published-01 Jun, 2026 | 16:22
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
smb: client: reject userspace cifs.spnego descriptions

In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.

Action-Not Available
Vendor-Red Hat, Inc.Linux Kernel Organization, Inc
Product-linux_kernelLinuxRed Hat Enterprise Linux Real Time for NFV E4S (v.9.2)Red Hat Enterprise Linux Real Time (v. 10)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux Real Time EUS (v.9.6)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux BaseOS E4S (v.9.2)Red Hat Enterprise Linux Server Optional (v. 7 ELS)Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)Red Hat Enterprise Linux BaseOS (v. 10)Red Hat Enterprise Linux BaseOS E4S (v.9.4)Red Hat Enterprise Linux AppStream E4S (v.9.4)Red Hat Enterprise Linux BaseOS EUS (v.9.6)Red Hat Enterprise Linux NFV (v. 8)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)NVIDIA for RHEL 10Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)Red Hat Enterprise Linux BaseOS (v. 8)Red Hat Enterprise Linux 7Red Hat Enterprise Linux RT (v. 8)Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)Red Hat Enterprise Linux BaseOS TUS (v.8.8)Red Hat Enterprise Linux Server (v. 7 ELS)Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux Real Time EUS (v. 10.0)Red Hat Enterprise Linux BaseOS (v. 9)Red Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat OpenShift Container Platform 4.14Red Hat Enterprise Linux 9Red Hat Enterprise Linux BaseOS E4S (v.8.8)Red Hat Enterprise Linux Real Time E4S (v.9.4)Red Hat Enterprise Linux Real Time E4S (v.9.2)Red Hat Enterprise Linux Real Time for NFV (v. 10)Red Hat Enterprise Linux Real Time (v. 9)Red Hat Enterprise Linux Real Time for NFV (v. 9)Red Hat Enterprise Linux BaseOS AUS (v.8.4)Red Hat Enterprise Linux BaseOS AUS (v.8.6)Red Hat CodeReady Linux Builder EUS (v.9.6)
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-45972
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-9.8||CRITICAL
EPSS-0.33% / 25.24%
||
7 Day CHG-0.16%
Published-27 May, 2026 | 12:18
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
smb: client: fix potential UAF and double free in smb2_open_file()

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelLinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CWE ID-CWE-416
Use After Free
CVE-2026-45998
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7||HIGH
EPSS-0.12% / 2.44%
||
7 Day CHG-0.01%
Published-27 May, 2026 | 12:55
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
rxrpc: Fix potential UAF after skb_unshare() failure

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

Action-Not Available
Vendor-Red Hat, Inc.Linux Kernel Organization, Inc
Product-linux_kernelLinuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux BaseOS (v. 10)Red Hat Enterprise Linux Real Time (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux Real Time for NFV (v. 10)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
CWE ID-CWE-416
Use After Free
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-53006
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 29.63%
||
7 Day CHG+0.19%
Published-24 Jun, 2026 | 16:29
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ipv6: fix possible UAF in icmpv6_rcv()

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6_rcv() Caching saddr and daddr before pskb_pull() is problematic since skb->head can change. Remove these temporary variables: - We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr when net_dbg_ratelimited() is called in the slow path. - Avoid potential future misuse after pskb_pull() call.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-52950
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.10%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 16:28
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/xe/dma-buf: fix UAF with retry loop

In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-52952
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-8.8||HIGH
EPSS-0.13% / 3.07%
||
7 Day CHG-0.03%
Published-24 Jun, 2026 | 16:28
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-46166
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-8.8||HIGH
EPSS-0.20% / 10.32%
||
7 Day CHG-0.05%
Published-28 May, 2026 | 09:36
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wifi: mac80211: use safe list iteration in radar detect work

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelLinuxRed Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux Real Time (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux Real Time for NFV (v. 9)Red Hat Enterprise Linux 9Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)Red Hat Enterprise Linux Real Time EUS (v. 10.0)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux Real Time (v. 9)Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux BaseOS (v. 10)Red Hat Enterprise Linux Real Time EUS (v.9.6)Red Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat Enterprise Linux BaseOS (v. 9)Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux BaseOS EUS (v.9.6)Red Hat Enterprise Linux 8Red Hat Enterprise Linux Real Time for NFV (v. 10)Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)
CWE ID-CWE-825
Expired Pointer Dereference
CWE ID-CWE-416
Use After Free
CVE-2026-46176
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.84%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 09:36
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.

Action-Not Available
Vendor-Red Hat, Inc.Linux Kernel Organization, Inc
Product-linux_kernelLinuxRed Hat Enterprise Linux Real Time (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux Real Time EUS (v.9.6)Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)Red Hat Enterprise Linux Real Time EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux BaseOS (v. 9)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat Enterprise Linux 9Red Hat Enterprise Linux BaseOS (v. 10)Red Hat Enterprise Linux 8Red Hat Enterprise Linux Real Time for NFV (v. 10)Red Hat Enterprise Linux BaseOS EUS (v.9.6)Red Hat Enterprise Linux Real Time (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux Real Time for NFV (v. 9)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)Red Hat CodeReady Linux Builder EUS (v.9.6)
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-34001
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.26% / 17.79%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 14:54
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xorg: xwayland: x.org x server: use-after-free vulnerability leads to server crash and potential memory corruption

A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRed Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 9.6 Extended Update SupportRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 10.0 Extended Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRed Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSIONRed Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Update Services for SAP SolutionsRed Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux AppStream E4S (v.9.0)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux Server (v. 7 ELS)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux 6Red Hat CodeReady Linux Builder EUS (v.9.4)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux Server Optional (v. 7 ELS)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-33150
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.8||HIGH
EPSS-0.31% / 22.73%
||
7 Day CHG-0.00%
Published-20 Mar, 2026 | 20:20
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use After Free in libfuse

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.

Action-Not Available
Vendor-libfuse_projectlibfuseRed Hat, Inc.
Product-libfuselibfuseRed Hat Enterprise Linux 8Red Hat Enterprise Linux 7
CWE ID-CWE-416
Use After Free
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-31703
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.74%
||
7 Day CHG-0.01%
Published-01 May, 2026 | 13:56
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
writeback: Fix use after free in inode_switch_wbs_work_fn()

In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelLinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CWE ID-CWE-416
Use After Free
CVE-2026-23074
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.25%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 16:07
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
net/sched: Enforce that teql can only be used as root qdisc

In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelLinuxRed Hat Enterprise Linux BaseOS (v. 8)Red Hat Enterprise Linux BaseOS AUS (v.8.6)Red Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux BaseOS E4S (v.8.6)Red Hat Enterprise Linux BaseOS E4S (v.8.8)Red Hat Enterprise Linux BaseOS AUS (v. 8.2)Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux Server (v. 7 ELS)Red Hat Enterprise Linux RT (v. 8)Red Hat Enterprise Linux Server Optional (v. 7 ELS)Red Hat Enterprise Linux BaseOS AUS (v.8.4)Red Hat Enterprise Linux BaseOS TUS (v.8.6)Red Hat Enterprise Linux for Real Time (v. 7 ELS)Red Hat Enterprise Linux NFV (v. 8)Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)Red Hat Enterprise Linux BaseOS TUS (v.8.8)Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)
CWE ID-CWE-825
Expired Pointer Dereference
CWE ID-CWE-416
Use After Free
CVE-2026-52924
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 17.85%
||
7 Day CHG+0.10%
Published-24 Jun, 2026 | 07:14
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
sctp: purge outqueue on stale COOKIE-ECHO handling

In the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed. However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk. During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state. Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free(). This results in crashes such as (reported by Yuqi): BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10 Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart. Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2026-52923
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.45%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 07:14
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ipc: limit next_id allocation to the valid ID range

In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid ID range The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. ipc_idr_alloc() currently forwards that request to idr_alloc() with an open-ended upper bound. If the valid tail of the SysV IPC id space is full, the allocation can spill beyond ipc_mni. The returned SysV IPC id still uses the normal index encoding, so later lookup and removal can target the wrong slot. This leaves the real IDR entry behind and breaks the IDR state for the object. The bug is in ipc_idr_alloc() in the checkpoint/restore path. 1. ids->next_id is passed to: idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...) 2. The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idr_alloc() can spill past ipc_mni and allocate an entry beyond the valid IPC id range. 3. The new object id is still encoded with the narrower SysV IPC index width: new->id = (new->seq << ipcmni_seq_shift()) + idx 4. Later removal goes through ipc_rmid(), which uses: ipcid_to_idx(ipcp->id) That truncates the real IDR index. An object actually stored at a high index can then be removed as if it lived at a low in-range index. 5. For shared memory, shm_destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer. 6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory. Prevent this by bounding the requested allocation to ipc_mni so the checkpoint/restore path fails once the valid range is exhausted.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-825
Expired Pointer Dereference
CVE-2025-26601
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.36% / 27.88%
||
7 Day CHG+0.01%
Published-25 Feb, 2025 | 15:55
Updated-29 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xorg: xwayland: use-after-free in syncinittrigger()

A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.

Action-Not Available
Vendor-tigervncX.Org FoundationRed Hat, Inc.
Product-xwaylandtigervncx_serverenterprise_linuxRed Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSIONRed Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions
CWE ID-CWE-416
Use After Free
CVE-2005-4890
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.64% / 45.98%
||
7 Day CHG~0.00%
Published-04 Nov, 2019 | 18:38
Updated-08 Aug, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Action-Not Available
Vendor-sudo_projectDebian GNU/LinuxRed Hat, Inc.
Product-debian_linuxshadowsudoenterprise_linuxshadowsudo
CWE ID-CWE-20
Improper Input Validation
CVE-2026-8632
Matching Score-8
Assigner-HP Inc.
ShareView Details
Matching Score-8
Assigner-HP Inc.
CVSS Score-8.5||HIGH
EPSS-0.88% / 54.68%
||
7 Day CHG+0.14%
Published-20 May, 2026 | 20:14
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HP Linux Imaging and Printing Software – Potential Escalation of Privilege and Arbitrary Code Execution

A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection.

Action-Not Available
Vendor-HP IncRed Hat, Inc.HP Inc.
Product-linux_imaging_and_printingHP Linux Imaging and Printing SoftwareRed Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-26754
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.25% / 16.50%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 17:00
Updated-11 May, 2026 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()

In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() The gtp_net_ops pernet operations structure for the subsystem must be registered before registering the generic netlink family. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 RSP: 0018:ffff888014107220 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? show_regs+0x90/0xa0 ? die_addr+0x50/0xd0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] ? __alloc_skb+0x1dd/0x350 ? __pfx___alloc_skb+0x10/0x10 genl_dumpit+0x11d/0x230 netlink_dump+0x5b9/0xce0 ? lockdep_hardirqs_on_prepare+0x253/0x430 ? __pfx_netlink_dump+0x10/0x10 ? kasan_save_track+0x10/0x40 ? __kasan_kmalloc+0x9b/0xa0 ? genl_start+0x675/0x970 __netlink_dump_start+0x6fc/0x9f0 genl_family_rcv_msg_dumpit+0x1bb/0x2d0 ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 ? genl_op_from_small+0x2a/0x440 ? cap_capable+0x1d0/0x240 ? __pfx_genl_start+0x10/0x10 ? __pfx_genl_dumpit+0x10/0x10 ? __pfx_genl_done+0x10/0x10 ? security_capable+0x9d/0xe0

Action-Not Available
Vendor-Debian GNU/LinuxLinux Kernel Organization, Inc
Product-debian_linuxlinux_kernelLinux
CWE ID-CWE-416
Use After Free
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-39835
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.16% / 5.24%
||
7 Day CHG~0.00%
Published-16 Sep, 2025 | 13:08
Updated-12 May, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xfs: do not propagate ENODATA disk errors into xattr code

In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape to userspace as "attribute not found" when in fact it's an IO (disk) error. At worst, we may oops in xfs_attr_leaf_get() when we do: error = xfs_attr_leaf_hasname(args, &bp); if (error == -ENOATTR) { xfs_trans_brelse(args->trans, bp); return error; } because an ENODATA/ENOATTR error from disk leaves us with a null bp, and the xfs_trans_brelse will then null-deref it. As discussed on the list, we really need to modify the lower level IO functions to trap all disk errors and ensure that we don't let unique errors like this leak up into higher xfs functions - many like this should be remapped to EIO. However, this patch directly addresses a reported bug in the xattr code, and should be safe to backport to stable kernels. A larger-scope patch to handle more unique errors at lower levels can follow later. (Note, prior to 07120f1abdff we did not oops, but we did return the wrong error code to userspace.)

Action-Not Available
Vendor-Debian GNU/LinuxSiemens AGLinux Kernel Organization, Inc
Product-debian_linuxlinux_kernelLinuxSIMATIC CN 4100
CVE-2024-26625
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.25% / 16.07%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 06:45
Updated-11 May, 2026 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
llc: call sock_orphan() at release time

In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after calling proto_ops::release()") Eric Biggers hinted that some protocols are missing a sock_orphan(), we need to perform a full audit. In net-next, I plan to clear sock->sk from sock_orphan() and amend Eric patch to add a warning. [1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27 CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 </TASK> Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin ---truncated---

Action-Not Available
Vendor-Debian GNU/LinuxLinux Kernel Organization, Inc
Product-debian_linuxlinux_kernelLinux
CWE ID-CWE-416
Use After Free
CVE-2026-53193
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.79%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ALSA: timer: Forcibly close timer instances at closing

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer. This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53189
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.60%
||
7 Day CHG-0.05%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mm/huge_memory: update file PMD counter before folio_put()

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: update file PMD counter before folio_put() __split_huge_pmd_locked() updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folio_put() drops the last reference, mm_counter_file() can later read freed folio state via folio_test_swapbacked(). Move the counter update before folio_put().

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2023-43787
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.43% / 34.30%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 12:26
Updated-06 Nov, 2025 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libx11: integer overflow in xcreateimage() leading to a heap overflow

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

Action-Not Available
Vendor-Fedora ProjectRed Hat, Inc.X.Org Foundation
Product-fedoralibx11enterprise_linuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-54230
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.14% / 3.69%
||
7 Day CHG+0.02%
Published-13 Jun, 2026 | 02:34
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Abrt: event handler scripts follow symlinks when writing output files, allowing arbitrary file overwrites

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

Action-Not Available
Vendor-Fedora ProjectABRTRed Hat, Inc.
Product-abrtfedoraenterprise_linuxRed Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-53201
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.48%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6. The idle-skip optimization bypasses GuC suspend, so the GPU may not perform the context switch that flushes TLB entries for invalidated userptr VMAs. In LR/preempt-fence VM mode, this can lead to missed TLB invalidation and page faults during userptr invalidation tests. Restore unconditional schedule toggling on suspend so the context-switch TLB flush is always performed. This optimization will be reintroduced with a fix that does not skip suspend in LR/preempt-fence VM mode. (cherry picked from commit 6a1e7934d9a6cf46aecae00a99c2603d1295e170)

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53153
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.14%
||
7 Day CHG-0.07%
Published-25 Jun, 2026 | 08:38
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mm/list_lru: drain before clearing xarray entry on reparent

In the Linux kernel, the following vulnerability has been resolved: mm/list_lru: drain before clearing xarray entry on reparent memcg_reparent_list_lrus() clears the dying memcg's xarray entry with xas_store(&xas, NULL) before reparenting its per-node lists into the parent. This opens a window where a concurrent list_lru_del() arriving for the dying memcg sees xa_load() == NULL, walks to the parent in lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls list_del_init() on an item still physically linked on the dying memcg's list. If another in-flight thread holds the dying memcg's per-node lock at the same moment (another list_lru_del, or a list_lru_walk_one running an isolate callback), both threads modify ->next/->prev pointers on the same physical list under different locks. Adjacent items can corrupt each other's links. Fix it by reversing the order: reparent each per-node list and mark the child's list lru dead and then clear the xarray entry. Any concurrent list_lru op that finds the still-set xarray entry either takes the dying memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and walks to the parent, where the items now live.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-820
Missing Synchronization
CVE-2026-53212
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.58%
||
7 Day CHG-0.05%
Published-25 Jun, 2026 | 08:39
Updated-02 Jul, 2026 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netfilter: nft_tunnel: fix use-after-free on object destroy

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-416
Use After Free
CVE-2026-53209
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.60%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-02 Jul, 2026 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data. Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-53290
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.46%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 19:40
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/xe/eustall: Fix drm_dev_put called before stream disable in close

In the Linux kernel, the following vulnerability has been resolved: drm/xe/eustall: Fix drm_dev_put called before stream disable in close In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resources are freed. If this drops the last reference, the device structures could be freed while the subsequent cleanup code still accesses them, leading to a use-after-free. Fix this by moving drm_dev_put() after all device accesses are complete. This matches the ordering in xe_oa_release(). (cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53148
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7||HIGH
EPSS-0.14% / 3.72%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:38
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
thunderbolt: Clamp XDomain response data copy to allocation size

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-53110
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.13%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 16:30
Updated-28 Jun, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
s390/bpf: Zero-extend bpf prog return values and kfunc arguments

In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Zero-extend bpf prog return values and kfunc arguments s390x ABI requires callers to zero-extend unsigned arguments and sign-extend signed arguments, and callees to zero-extend unsigned return values and sign-extend signed return values. s390 BPF JIT currently implements only sign extension. Fix this omission and implement zero extension too.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-54228
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.19%
||
7 Day CHG~0.00%
Published-13 Jun, 2026 | 02:34
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Abrt: toctou race condition in abrt-dbus setelement allows arbitrary file writes to dump directories

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2026-53276
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.17%
||
7 Day CHG-0.03%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock * which shall not be acquired while holding sock_lock for proper * ordering. */ release_sock(sk); hci_dev_lock(bis->hdev); During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53145
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.14%
||
7 Day CHG-0.07%
Published-25 Jun, 2026 | 08:38
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/gem: Try to fix change_handle ioctl, attempt 4

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, attempt 4 [airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not good enough to figure this out in private. The story thus far: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") tried to fix a race condition between the gem_close and gem_change_handle ioctls, but got a few things wrong: - There's a confusion with the local variable handle, which is actually the new handle, and so the two-stage trick was actually applied to the wrong idr slot. 7164d78559b0 ("drm/gem: fix race between change_handle and handle_delete") tried to fix that by adding yet another code block, but forgot to add the error handling. Which meant we now have two paths, both kinda wrong. - dc366607c41c ("drm: Replace old pointer to new idr") tried to apply another fix, but inconsistently, again because of the handle confusion - this would be the right fix (kinda, somewhat, it's a mess) if we'd do the two-stage approach for the new handle. Except that wasn't the intent of the original fix. We also didn't have an igt merged for the original ioctl, which is a big no-go. This was attempted to address off-list in the original bugfix, and amd QA people claimed the bug was fixed now. Very clearly that's not the case. Here's my attempt to sort this out: - Rename the local variable to new_handle, the old aliasing with args->handle is just too dangerously confusing. - Merge the gem obj lookup with the two-stage idr_replace so that we avoid getting ourselves confused there. - This means we don't have a surplus temporary reference anymore, only an inherited from the idr. A concurrent gem_close on the new_handle could steal that. Fix that with the same two-stage approach create_tail uses. This is a bit overkill as documented in the comment, but I also don't trust my ability to understand this all correctly, so go with the established pattern we have from other ioctls instead for maximum paranoia. - Adjust error paths. I've tried to make the error and success paths common, because they are identical except for which handle is removed and on which we call idr_replace to (re)install the object again. But that made things messier to read, so I've left it at the more verbose version, which unfortunately hides the symmetry in the entire code flow a bit. - While at it, also replace the 7 space indent with 1 tab. And finally, because I flat out don't trust my abilities here at all anymore: - Disable the ioctl until we have the igt situation and everything else sorted out on-list and with full consensus. v2: Sashiko noticed that I didn't handle the error path for idr_replace correctly, it must be checked with IS_ERR_OR_NULL like in gem_handle_delete. So yeah, definitely should just the existing paths 1:1 because this is endless amounts of tricky. Also add the Fixes: line for the original ioctl, I forgot that too.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2026-53264
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 2.93%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
net/sched: act_api: use RCU with deferred freeing for action lifecycle

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred freeing for action lifecycle When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action. Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER: 0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree(). Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu(). Let's illustrate the new restored code path: 0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53277
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.8||HIGH
EPSS-0.11% / 1.57%
||
7 Day CHG-0.06%
Published-25 Jun, 2026 | 08:40
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation walk_s1() and kvm_walk_nested_s2() expect to be called while holding kvm->srcu to guard against memslot changes. While this is generally the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the respective walkers without taking kvm->srcu. Fix by acquiring kvm->srcu prior to the table walk in both instances.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-820
Missing Synchronization
CVE-2026-53192
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.26%
||
7 Day CHG-0.05%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ALSA: timer: Fix UAF at snd_timer_user_params()

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2019-19351
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.24% / 15.53%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 16:33
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/jenkins-slave-base-rhel7-containera as shipped in Openshift 4 and 3.11.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshiftopenshift
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-54229
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.09% / 0.64%
||
7 Day CHG+0.01%
Published-13 Jun, 2026 | 02:34
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Abrt: chownproblemdir succeeds during active post-create event processing due to inadequate locking

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2023-4389
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.25% / 16.64%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 18:49
Updated-15 Oct, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: btrfs: double free in btrfs_get_root_ref()

A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.

Action-Not Available
Vendor-n/aFedora ProjectLinux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelKernelRed Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-415
Double Free
CVE-2026-53259
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.46%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ipv6: anycast: insert aca into global hash under idev->lock

In the Linux kernel, the following vulnerability has been resolved: ipv6: anycast: insert aca into global hash under idev->lock syzbot reported a splat [1]: a slab-use-after-free in ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash under RCU and dereferences a struct ifacaddr6 that has already been freed while still linked in the hash, so a later reader walks into a dangling node. In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then aca_get() bumps it to 2 to keep it alive across the unlocked region. It is published to idev->ac_list under idev->lock, but ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL) can slip into that window: CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL) ------------------------------ ------------------------------------ aca_alloc() refcnt 1 aca_get() refcnt 2 write_lock_bh(idev->lock) add aca to ac_list write_unlock_bh(idev->lock) write_lock_bh(idev->lock) pull aca off ac_list write_unlock_bh(idev->lock) ipv6_del_acaddr_hash(aca) hlist_del_init_rcu() is a no-op, aca is not in the hash yet aca_put() refcnt 2->1 ipv6_add_acaddr_hash(aca) aca now inserted into the hash aca_put() refcnt 1->0 call_rcu(aca_free_rcu) -> kfree(aca) The hash removal becomes a no-op because the insertion has not happened yet, so once CPU0 inserts and drops the last reference, the aca is freed while still linked in inet6_acaddr_lst[], and readers dereference freed memory after the slab slot is reused. This window opened once RTNL stopped serializing the join path against device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock section so the ac_list and hash insertions are atomic with respect to teardown: a racing remover now either misses the aca entirely or finds it in both lists. acaddr_hash_lock is now nested under idev->lock, which is acquired in softirq context, so switch all acaddr_hash_lock sites to spin_lock_bh() to avoid the irq lock inversion reported in [2]. [1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a [2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2023-53262
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.90%
||
7 Day CHG~0.00%
Published-15 Sep, 2025 | 14:46
Updated-11 May, 2026 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
f2fs: fix scheduling while atomic in decompression path

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix scheduling while atomic in decompression path [ 16.945668][ C0] Call trace: [ 16.945678][ C0] dump_backtrace+0x110/0x204 [ 16.945706][ C0] dump_stack_lvl+0x84/0xbc [ 16.945735][ C0] __schedule_bug+0xb8/0x1ac [ 16.945756][ C0] __schedule+0x724/0xbdc [ 16.945778][ C0] schedule+0x154/0x258 [ 16.945793][ C0] bit_wait_io+0x48/0xa4 [ 16.945808][ C0] out_of_line_wait_on_bit+0x114/0x198 [ 16.945824][ C0] __sync_dirty_buffer+0x1f8/0x2e8 [ 16.945853][ C0] __f2fs_commit_super+0x140/0x1f4 [ 16.945881][ C0] f2fs_commit_super+0x110/0x28c [ 16.945898][ C0] f2fs_handle_error+0x1f4/0x2f4 [ 16.945917][ C0] f2fs_decompress_cluster+0xc4/0x450 [ 16.945942][ C0] f2fs_end_read_compressed_page+0xc0/0xfc [ 16.945959][ C0] f2fs_handle_step_decompress+0x118/0x1cc [ 16.945978][ C0] f2fs_read_end_io+0x168/0x2b0 [ 16.945993][ C0] bio_endio+0x25c/0x2c8 [ 16.946015][ C0] dm_io_dec_pending+0x3e8/0x57c [ 16.946052][ C0] clone_endio+0x134/0x254 [ 16.946069][ C0] bio_endio+0x25c/0x2c8 [ 16.946084][ C0] blk_update_request+0x1d4/0x478 [ 16.946103][ C0] scsi_end_request+0x38/0x4cc [ 16.946129][ C0] scsi_io_completion+0x94/0x184 [ 16.946147][ C0] scsi_finish_command+0xe8/0x154 [ 16.946164][ C0] scsi_complete+0x90/0x1d8 [ 16.946181][ C0] blk_done_softirq+0xa4/0x11c [ 16.946198][ C0] _stext+0x184/0x614 [ 16.946214][ C0] __irq_exit_rcu+0x78/0x144 [ 16.946234][ C0] handle_domain_irq+0xd4/0x154 [ 16.946260][ C0] gic_handle_irq.33881+0x5c/0x27c [ 16.946281][ C0] call_on_irq_stack+0x40/0x70 [ 16.946298][ C0] do_interrupt_handler+0x48/0xa4 [ 16.946313][ C0] el1_interrupt+0x38/0x68 [ 16.946346][ C0] el1h_64_irq_handler+0x20/0x30 [ 16.946362][ C0] el1h_64_irq+0x78/0x7c [ 16.946377][ C0] finish_task_switch+0xc8/0x3d8 [ 16.946394][ C0] __schedule+0x600/0xbdc [ 16.946408][ C0] preempt_schedule_common+0x34/0x5c [ 16.946423][ C0] preempt_schedule+0x44/0x48 [ 16.946438][ C0] process_one_work+0x30c/0x550 [ 16.946456][ C0] worker_thread+0x414/0x8bc [ 16.946472][ C0] kthread+0x16c/0x1e0 [ 16.946486][ C0] ret_from_fork+0x10/0x20

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CVE-2026-53133
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 2.90%
||
7 Day CHG-0.05%
Published-25 Jun, 2026 | 08:38
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RDMA/umem: Fix truncation for block sizes >= 4G

In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix truncation for block sizes >= 4G When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries. When __rdma_block_iter_next() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation. Use the right types to hold DMA addresses.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2023-53363
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.18% / 7.30%
||
7 Day CHG~0.00%
Published-17 Sep, 2025 | 14:56
Updated-11 May, 2026 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PCI: Fix use-after-free in pci_bus_release_domain_nr()

In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_bus_release_domain_nr() Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence: [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70 [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115): [ 19.309677] pci_bus_release_domain_nr+0x10/0x70 [ 19.309691] dw_pcie_host_deinit+0x28/0x78 [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.309752] platform_probe+0x90/0xd8 ... [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s: [ 19.311562] __kmem_cache_alloc_node+0x260/0x278 [ 19.311571] kmalloc_trace+0x24/0x30 [ 19.311580] pci_alloc_bus+0x24/0xa0 [ 19.311590] pci_register_host_bridge+0x48/0x4b8 [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8 [ 19.311613] pci_host_probe+0x18/0xc0 [ 19.311623] dw_pcie_host_init+0x2c0/0x568 [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194] [ 19.311647] platform_probe+0x90/0xd8 ... [ 19.311782] freed by task 96 on cpu 10 at 19.285833s: [ 19.311799] release_pcibus_dev+0x30/0x40 [ 19.311808] device_release+0x30/0x90 [ 19.311814] kobject_put+0xa8/0x120 [ 19.311832] device_unregister+0x20/0x30 [ 19.311839] pci_remove_bus+0x78/0x88 [ 19.311850] pci_remove_root_bus+0x5c/0x98 [ 19.311860] dw_pcie_host_deinit+0x28/0x78 [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.311900] platform_probe+0x90/0xd8 ... [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4 [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022 [ 19.325852] Workqueue: events_unbound deferred_probe_work_func The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't directly call pci_bus_release_domain_nr(). The issue turns out to be in pci_remove_root_bus() which first calls pci_remove_bus() which frees the struct pci_bus when its struct device is released. Then pci_bus_release_domain_nr() is called and accesses the freed struct pci_bus. Reordering these fixes the issue.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-416
Use After Free
CVE-2026-53242
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.60%
||
7 Day CHG-0.04%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams

In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53092
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.12% / 2.44%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 16:30
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bpf: Fix linked reg delta tracking when src_reg == dst_reg

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when src_reg == dst_reg Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source. This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-393
Return of Wrong Status Code
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 49
  • 50
  • Next
Details not found