Skip to main content
CVE-2026-53001 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52995 MEDIUM PATCH This Month

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. No public exploit code and no CISA KEV listing exist at time of analysis; EPSS is very low at 0.18% (7th percentile), but the CVE description itself supplies a complete, step-by-step reproduction recipe that reduces practical exploitation complexity to near-trivial for any local user with AF_RDS socket access.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52985 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52913 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52990 MEDIUM PATCH This Month

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. No public exploit exists and EPSS is at the 7th percentile, indicating negligible opportunistic exploitation risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52964 MEDIUM PATCH This Month

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. No public exploit is identified; EPSS stands at 0.18% (7th percentile), consistent with narrow, hardware-dependent attack surface and no active exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52997 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52994 MEDIUM PATCH This Month

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. No public exploit has been identified and EPSS sits at 0.17% (7th percentile), reflecting low exploitation interest; however, a vendor-confirmed fix is available in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52978 MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: net: psp: require admin permission for dev-set and key-rotate The dev-set and key-rotate netlink operations modify shared device state (PSP version configuration and cryptographic key material, respectively) but do not require CAP_NET_ADMIN. The only access control is psp_dev_check_access() which merely verifies netns membership.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53035 MEDIUM PATCH This Month

The Linux kernel's BPF sockmap subsystem deadlocks when a BPF iterator program iterating over AF_UNIX sockets via `bpf_iter_unix_seq_show()` simultaneously attempts to update a sockmap entry during the same execution context. When `lock_sock_fast()` takes the spinlock fast path and holds `slock-AF_UNIX`, any subsequent `sock_map_update_elem()` call within the BPF iterator program spins indefinitely attempting to re-acquire the same spinlock on the same CPU, causing an unrecoverable kernel deadlock and loss of system availability. This is not confirmed actively exploited (not in CISA KEV), no public exploit has been identified, and EPSS at 0.17% (7th percentile) confirms negligible current exploitation interest; the real-world risk is constrained to specialized BPF workloads with specific capability requirements.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53029 MEDIUM PATCH This Month

Uninitialized variable read in the NTFS3 filesystem driver (`ntfs_iomap_begin()`) of the Linux kernel allows a local authenticated user to crash the system by triggering a zero-length run condition that causes the `lcn` (logical cluster number) variable to be consumed before assignment. The flaw affects Linux 7.0 up to 7.0.10 and Linux 7.1 prior to the stable fix commits, with the defect discovered and confirmed by Google syzbot via KMSAN. No public exploit has been identified and EPSS probability is very low (0.17%, 7th percentile); patches are available in Linux 7.0.10 and 7.1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53023 MEDIUM PATCH This Month

Missing NUL termination in the Linux kernel's ntfs3 filesystem driver allows a local attacker with filesystem mount privileges to trigger an out-of-bounds memory read, crashing the kernel. The defect in ntfs_fill_super() leaves sbi->volume.label unterminated when a UTF-16 volume label converts to a UTF-8 string that exactly fills the fixed buffer, causing ntfs3_label_show() to read past the buffer boundary via a %s format specifier. No public exploit has been identified at time of analysis and EPSS sits at 0.17% (7th percentile), indicating very low current exploitation interest despite the High availability impact in CVSS.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53022 MEDIUM PATCH This Month

Unbounded string concatenation in the Linux kernel's Dell WMI BIOS interface driver (dell-wmi-sysman) allows a local low-privileged attacker on Dell hardware to crash the kernel. The populate_enum_data() function bounds each individual firmware-provided string but applies no remaining-space check during cumulative strcat() calls into fixed 512-byte struct members, enabling a buffer overflow that results in complete system availability loss. With an EPSS of 0.17% (7th percentile), no public exploit code, and no CISA KEV listing, this is a low-likelihood but straightforward local denial-of-service on Dell platforms running unpatched kernel versions.

Dell Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52977 MEDIUM PATCH This Month

Livelock in the Linux kernel's futex requeue-PI subsystem can hang a system when a signal or timeout interrupts a FUTEX_WAIT_REQUEUE_PI operation concurrently with an active FUTEX_CQ_REQUEUE_PI requeue. The race causes a waiting thread (Task A) to block indefinitely on a hash-bucket lock while a requeue thread (Task B) busy-loops retrying the same operation, consuming all available CPU - worst-case on uniprocessor systems where Task A cannot be scheduled at all. No public exploit is identified and EPSS is 0.17% (7th percentile), but the deterministic nature of the livelock on UP or real-time-scheduled hardware makes this a genuine denial-of-service risk; patches are available across six Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53038 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53032 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53015 MEDIUM PATCH This Month

Integer truncation in the Linux kernel's EROFS filesystem driver on 32-bit platforms causes logical cluster number (LCN) calculations to overflow at the 4 GiB boundary, resulting in incorrect block addressing and potential kernel-level availability impact. Affected systems are those running 32-bit Linux kernels (where `unsigned long` is 32 bits wide) with EROFS filesystems mounted. No public exploit exists and no active exploitation has been confirmed; EPSS stands at a very low 0.17% (6th percentile), consistent with the niche attack surface of 32-bit deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53014 MEDIUM PATCH This Month

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. In the worst case, skb_push_rcsum is called with an incorrect mac_len, exhausting socket buffer headroom and triggering a kernel panic. No public exploit code has been identified and EPSS is 0.17% at the 6th percentile, consistent with low real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53013 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52980 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52965 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53042 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal CXL is linked before fwctl in drivers/Makefile. Both use `module_init, so `cxl_pci_driver_init()` runs first. When `cxl_pci_probe()` calls `fwctl_register()` and then `device_add()`, fwctl_class is not yet registered because fwctl_init() hasn't run, causing `class_to_subsys()` to return NULL and skip knode_class initialization. On device removal, `class_to_subsys()` returns non-NULL, and `device_del()` calls `klist_del()` on the uninitialized knode, triggering a NULL pointer dereference.

Memory Corruption Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53030 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers() The xfer structure allocated by renesas_i3c_alloc_xfer() was never freed in the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup attribute to automatically free the memory when the variable goes out of scope.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53028 MEDIUM PATCH This Month

Error pointer dereference in the Linux kernel USB Type-C TI Power Delivery (tipd) driver allows a local low-privileged user to crash the kernel (denial of service) on systems with TI CD321x or TPS6598x USB Type-C controller hardware. The flaw in `cd321x_update_work()` at `drivers/usb/typec/tipd/core.c:827` logs a warning when `typec_register_partner()` fails but omits an early return, causing a subsequent unconditional dereference of the error pointer via `typec_partner_set_identity()`. No public exploit code has been identified at time of analysis, EPSS probability is 0.17% (6th percentile), and the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53019 MEDIUM PATCH This Month

Kernel panic in the SpaceMIT clock controller driver (`clk-spacemit-ccu`) can be triggered during CPU frequency scaling on systems running SpaceMIT RISC-V hardware. The root cause is an inverted boolean condition in `ccu_mix_trigger_fc()` that causes the frequency change trigger to be skipped at the wrong time and fired at the wrong time, crashing the kernel under normal cpufreq governor activity. Exploitation requires only local low-privilege access, but is practically limited to the narrow hardware footprint of SpaceMIT K1-based boards; no public exploit or CISA KEV listing exists, and EPSS is 0.17% (6th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53018 MEDIUM PATCH This Month

Kernel panic in the Linux f2fs garbage collector allows a local low-privileged user to crash the system by triggering a VM_BUG_ON_FOLIO assertion when GC attempts to re-read a page already marked uptodate after multiple block relocations. The affected subsystem is f2fs (Flash-Friendly File System); systems using ext4, XFS, or other filesystems are not impacted. EPSS is extremely low (0.17%, 6th percentile) and no active exploitation has been identified, making this a stability/DoS concern primarily relevant to mobile, embedded, and flash-storage Linux deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52979 MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52930 MEDIUM PATCH This Month

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The `shm_destroy_orphaned()` cleanup path evaluates whether an orphaned segment is safe to destroy by checking `shm_nattch` without holding `shm_perm.lock`, while the attach/detach paths update that counter independently of `shm_ids(ns).rwsem`, creating a window where a still-attached segment is erroneously destroyed. The EPSS score is 0.17% (6th percentile) and no KEV listing or public exploit exists, placing this firmly in the routine-patching tier rather than emergency response.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52941 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52939 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52926 MEDIUM PATCH This Month

Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function `batadv_gw_node_free()` frees gateway list entries without clearing `bat_priv->gw.curr_gw`, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. No public exploit exists and EPSS sits at 0.16% (6th percentile), indicating negligible opportunistic exploitation interest at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52925 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52921 MEDIUM PATCH This Month

Denial of service in the Linux kernel netfilter ipset subsystem allows a local low-privileged user to disrupt availability by triggering an iterator overrun in hash:ip,mark, hash:ip,port, hash:ip,port,ip, or hash:ip,port,net set types during IPv4 range iteration. The 32-bit loop iterator is not properly bounded, allowing it to advance past the last address in the requested range; subsequent retry passes then resume from an unintended position, corrupting traversal state. No public exploit is identified at time of analysis, and the EPSS score of 0.16% (6th percentile) confirms very low exploitation probability, making this a routine patching priority rather than an emergency response.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53017 MEDIUM PATCH This Month

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. No public exploit identified at time of analysis; the EPSS score of 0.16% at the 6th percentile reflects the narrow triggering conditions and local-only attack surface.

Checkpoint Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52949 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52936 MEDIUM PATCH This Month

CPU stall vulnerability in the Linux kernel jitterentropy subsystem allows local low-privileged users to trigger prolonged non-preemptible spinlock holds by spawning concurrent entropy requests through jent_kcapi_random(), which holds a spinlock across expensive SHA3 conditioning and jitter collection. Systems running kernel versions from approximately 4.2 through pre-fix stable branches face entropy starvation and CPU busy-wait degradation under parallel getrandom() load. No public exploit identified at time of analysis; EPSS is 0.16% at the 5th percentile and no CISA KEV listing applies, making this a low-urgency, operator-pace patch for most deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52928 MEDIUM PATCH This Month

Availability disruption in the Linux kernel's AF_UNIX socket subsystem allows a local low-privileged user to trigger an unhandled code path by issuing a SIOCATMARK ioctl on non-stream (SOCK_DGRAM or SOCK_SEQPACKET) AF_UNIX sockets, which the kernel incorrectly permits to proceed into receive-queue inspection logic intended only for SOCK_STREAM. The flaw stems from a logic inconsistency: while SOCK_DGRAM and SOCK_SEQPACKET already reject MSG_OOB in sendmsg()/recvmsg(), the SIOCATMARK ioctl handler lacked the corresponding guard, creating an exploitable divergence. No public exploit or CISA KEV listing exists; EPSS at 0.16% (5th percentile) reflects a very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53027 MEDIUM PATCH This Month

Kernel availability impact in the Linux NTFS3 filesystem driver allows a local low-privileged user to trigger a WARN_ON(1) in attr_data_get_block_locked() by accessing NTFS volumes containing compressed or sparse attributes with frame-aligned cluster boundaries. The root cause is a missing run-segment load for vcn0 when it resides in a different attribute segment than vcn after cmask rounding, causing run_lookup_entry() to return SPARSE_LCN and fire the kernel warning. No public exploit has been identified and EPSS is 0.15% (5th percentile), confirming this as a low-probability exploitation target despite the confirmed vendor patch.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53007 MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52940 MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux TUN driver exposes 14 bytes of uninitialized stack data to unprivileged local users on every read of a non-tunnel packet. The flaw affects Linux systems where a local user can open a TUN device and issue the TUNSETVNETHDRSZ ioctl to set the vnet header size to 24 bytes. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with a local-only information disclosure requiring deliberate TUN device configuration.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52937 MEDIUM PATCH This Month

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. No public exploit is identified at time of analysis and EPSS sits at 0.15% (5th percentile), but KASLR bypass primitives of this type are routinely chained with local privilege-escalation exploits to gain kernel code-execution. NOTE: The provided CVSS vector (C:N/I:N/A:H) appears to misclassify this vulnerability - confidentiality is the impacted property, not availability; the assessed vector below corrects this.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52938 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-57304 MEDIUM This Month

Jenkins Assembla Plugin 1.4 and earlier exposes a connection-test endpoint without adequate permission enforcement, allowing any Jenkins user holding only Overall/Read permission to trigger outbound HTTP connections to an arbitrary attacker-controlled URL with attacker-supplied credentials. This enables both a limited Server-Side Request Forgery (SSRF) vector for internal network probing and credential interception on the attacker's endpoint. No public exploit code or active exploitation has been identified at time of analysis; SSVC assessment confirms exploitation status as none.

Authentication Bypass Jenkins Jenkins Assembla Plugin
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57294 MEDIUM This Month

Missing permission check in Jenkins EC2 Fleet Plugin versions up to 4.2.3.539.v8fedff2a_81c3 enables any authenticated user holding the low-privilege Overall/Read role to trigger a credential-capture attack by directing the plugin to connect to an attacker-controlled endpoint and transmitting AWS credentials stored in Jenkins. The attacker must independently obtain a valid credential ID before exploiting this flaw, making it a chained attack rather than a direct standalone exploit. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog; SSVC rates exploitation status as none.

Authentication Bypass Jenkins Jenkins Ec2 Fleet Plugin
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-53948 MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload Ghost
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-53946 MEDIUM PATCH This Month

Server-side request forgery in Ghost CMS versions 6.19.4 through 6.21.1 allows authenticated staff users to pivot the Ghost server into making arbitrary outbound HTTP requests, including to internal network hosts and cloud instance metadata endpoints. The vulnerable code path is Ghost's post re-rendering pipeline, which fetches image dimensions from URLs stored in image cards without validating those URLs against a trusted host allowlist. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 6.21.1.

Node.js SSRF Ghost
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57305 MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.

CSRF Jenkins Jenkins Assembla Plugin
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57295 MEDIUM This Month

Cross-site request forgery in Jenkins EC2 Fleet Plugin versions through 4.2.3.539.v8fedff2a_81c3 enables a network attacker to force Jenkins to connect to an attacker-controlled endpoint using AWS credentials stored in Jenkins, effectively exfiltrating those credentials. All Jenkins instances with this plugin installed and AWS credentials configured are at risk. No active exploitation is confirmed (not in CISA KEV), SSVC rates this as non-automatable with partial technical impact, and no public exploit code has been identified at time of analysis.

CSRF Jenkins Jenkins Ec2 Fleet Plugin
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57298 MEDIUM This Month

Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. No public exploit code or confirmed active exploitation has been identified at time of analysis, and SSVC rates exploitation likelihood as none with partial technical impact.

CSRF Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57292 MEDIUM This Month

Cross-site request forgery in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows network-accessible attackers to force a Jenkins instance to initiate connections to attacker-controlled URLs, using credential IDs previously obtained through a separate method. The CVSS vector confirms a low-privileged authenticated attacker posture (PR:L), meaning the victim must hold an active Jenkins session. No active exploitation is confirmed per CISA KEV, and the SSVC framework rates exploitation as currently none with partial technical impact.

CSRF Jenkins Jenkins Gitee Plugin
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy