Linux Kernel
Monthly
Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.
Use-after-free in Linux kernel DRM subsystem when framebuffers and property blobs are dereferenced after drm_dev_unplug during device driver unload, causing kernel oops and general protection faults in drm_framebuffer_cleanup. Affects all Linux kernel versions with DRM enabled; upstream fix available via kernel commits referenced in stable tree.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.
The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).
A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...
The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. [CVSS 7.7 HIGH]
The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.
The Linux kernel ksmbd server leaks the active_num_conn counter when kthread_run() fails during TCP connection initialization, allowing local authenticated users to exhaust connection tracking resources and cause a denial of service. The vulnerability stems from improper cleanup that fails to decrement the counter when freeing the transport structure. No patch is currently available for this medium-severity issue.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small.
{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc().
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.
In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.
Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A deadlock vulnerability in the Linux kernel's RISC-V tracing subsystem allows local users with tracing privileges to hang the system by enabling ftrace snapshots on __sbi_ecall functions, causing recursive IPI interrupts that trigger infinite snapshot loops. This issue is particularly easy to exploit on RISC-V systems lacking the SSTC extension, where timer events automatically invoke SBI ecalls. The vulnerability requires local access and is only exploitable if tracing is enabled, making it a denial of service vector for systems with active kernel tracing.
A use-after-free vulnerability in the Linux kernel's iSCSI target implementation allows local attackers with low privileges to cause memory corruption and potential denial of service by exploiting a race condition in the connection usage counting mechanism. The flaw occurs when a spinlock is released after calling complete(), allowing a waiting thread to free the connection structure before the current thread finishes its unlock operation. No patch is currently available for this vulnerability.
The Linux kernel's VMware hypercall implementation improperly handles register state during mouse events, allowing local attackers with user privileges to trigger a denial of service through a kernel panic via crafted input to the vmmouse driver. The vulnerability stems from incomplete register preservation when the QEMU VMware mouse emulation clears the upper 32 bits of CPU registers containing kernel pointers. No patch is currently available for this medium-severity issue affecting Linux systems running on VMware or QEMU with vmmouse support.
A denial of service vulnerability in the Linux kernel's btrfs filesystem allows local users with standard privileges to cause a system crash by triggering transaction aborts on read-only mounted filesystems. An attacker can exploit this by mounting a malformed btrfs filesystem with rescue options, causing the kernel to abort transactions with error handling failures during unmount. No patch is currently available for this medium-severity vulnerability.
AMD GPU drivers on Linux systems fail to prevent MMIO register access during SMU Mode 1 reset, allowing incomplete PCIe transactions that can trigger NMI panics or system hangs. A local attacker with driver interaction capabilities could exploit this to cause a denial of service by accessing registers while the device is offline. The vulnerability affects Linux kernel implementations with AMD PM functionality and currently lacks an available patch.
A data-race condition in the Linux kernel bonding driver's slave->last_rx field can be accessed without proper synchronization, potentially causing a denial of service on systems using bonded network interfaces. Local attackers with limited privileges can trigger the race condition to cause system instability or crashes. A patch is not currently available, and exploitation requires specific timing conditions.
Linux kernel swap handling can cause a kernel panic under heavy memory pressure when arch_prepare_to_swap fails due to read-only swap address space restrictions introduced in a prior commit. A local attacker with user privileges can trigger this denial of service condition during memory reclamation operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g.
In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.
A buffer overflow in the Linux kernel's ALSA USB audio driver allows local attackers with user privileges to write beyond allocated URB buffers by crafting malicious audio parameters with mismatched packet sizes and frame counts. An attacker can trigger out-of-bounds memory corruption, potentially achieving privilege escalation or denial of service. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count.
A memory leak in the Linux kernel's SMB/CIFS client implementation allows local attackers with unprivileged access to exhaust kernel memory and cause a denial of service by triggering failed file operations on read-only mounted shares. An attacker can exploit this by repeatedly attempting to write files to a read-only CIFS mount, causing memory allocated for SMB requests to not be properly freed. The vulnerability persists until the cifs kernel module is unloaded, and currently lacks a public patch.
In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`.
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route.
{++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0x12a/0x250 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}: __lock_acquire+0x1509/0x26d0 lock_acquire+0x185/0x340 down_read+0x98/0x490 blkdev_read_iter+0x2a7/0x4e0 __kernel_read+0x39a/0xa90 freader_fetch+0x1d5/0xa80 __build_id_parse.isra.0+0xea/0x6a0 do_procmap_query+0xd75/0x1050 procfs_procmap_ioctl+0x7a/0xb0 __x64_sys_ioctl+0x18e/0x210 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&sb->s_type->i_mutex_key#8); lock(&mm->mmap_lock); rlock(&sb->s_type->i_mutex_key#8); *** DEADLOCK *** This seems to be exacerbated (as we haven't seen these syzbot reports before that) by the recent: 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context") To make this safe, we need to grab file refcount while VMA is still locked, but other than that everything is pretty straightforward.
In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error.
Memory leak in AMD ASoC PDM DMA operations allows local attackers with user-level privileges to cause denial of service through resource exhaustion on affected Linux systems. The vulnerability persists as no patch is currently available, leaving vulnerable systems at continued risk of system instability or crash from cumulative memory consumption.
A null pointer dereference in the CephFS kernel client's MDS authentication matching function (ceph_mds_auth_match()) allows local attackers with low privileges to cause a denial of service by crashing the kernel when the mds_namespace mount option is not specified. This regression affects Linux kernel versions 6.18-rc1 and later, impacting systems using CephFS with default mount configurations. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume reset deadlock rtl8152 can trigger device reset during reset which potentially can result in a deadlock: **** DPM device timeout after 10 seconds; 15 seconds until panic **** Call Trace: <TASK> schedule+0x483/0x1370 schedule_preempt_disabled+0x15/0x30 __mutex_lock_common+0x1fd/0x470 __rtl8152_set_mac_address+0x80/0x1f0 dev_set_mac_address+0x7f/0x150 rtl8152_post_reset+0x72/0x150 usb_reset_device+0x1d0/0x220 rtl8152_resume+0x99/0xc0 usb_resume_interface+0x3e/0xc0 usb_resume_both+0x104/0x150 usb_resume+0x22/0x110 The problem is that rtl8152 resume calls reset under tp->control mutex while reset basically re-enters rtl8152 and attempts to acquire the same tp->control lock once again.
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
The Linux kernel's acpi_power_meter driver contains a deadlock vulnerability in its notify callback function that can cause a denial of service when device removal races with sysfs attribute access. A local user with privileges to trigger power meter notifications can exploit this to hang or crash the system. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max".
In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak.
In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command.
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held.
In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment.
In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully.
In the Linux kernel, the following vulnerability has been resolved: nvme-pci: handle changing device dma map requirements The initial state of dma_needs_unmap may be false, but change to true while mapping the data iterator. Enabling swiotlb is one such case that can change the result.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB.
CVE-2025-71223 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes).
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents.
Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.
Use-after-free in Linux kernel DRM subsystem when framebuffers and property blobs are dereferenced after drm_dev_unplug during device driver unload, causing kernel oops and general protection faults in drm_framebuffer_cleanup. Affects all Linux kernel versions with DRM enabled; upstream fix available via kernel commits referenced in stable tree.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.
The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).
A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...
The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. [CVSS 7.7 HIGH]
The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.
The Linux kernel ksmbd server leaks the active_num_conn counter when kthread_run() fails during TCP connection initialization, allowing local authenticated users to exhaust connection tracking resources and cause a denial of service. The vulnerability stems from improper cleanup that fails to decrement the counter when freeing the transport structure. No patch is currently available for this medium-severity issue.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small.
{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc().
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.
In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.
Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A deadlock vulnerability in the Linux kernel's RISC-V tracing subsystem allows local users with tracing privileges to hang the system by enabling ftrace snapshots on __sbi_ecall functions, causing recursive IPI interrupts that trigger infinite snapshot loops. This issue is particularly easy to exploit on RISC-V systems lacking the SSTC extension, where timer events automatically invoke SBI ecalls. The vulnerability requires local access and is only exploitable if tracing is enabled, making it a denial of service vector for systems with active kernel tracing.
A use-after-free vulnerability in the Linux kernel's iSCSI target implementation allows local attackers with low privileges to cause memory corruption and potential denial of service by exploiting a race condition in the connection usage counting mechanism. The flaw occurs when a spinlock is released after calling complete(), allowing a waiting thread to free the connection structure before the current thread finishes its unlock operation. No patch is currently available for this vulnerability.
The Linux kernel's VMware hypercall implementation improperly handles register state during mouse events, allowing local attackers with user privileges to trigger a denial of service through a kernel panic via crafted input to the vmmouse driver. The vulnerability stems from incomplete register preservation when the QEMU VMware mouse emulation clears the upper 32 bits of CPU registers containing kernel pointers. No patch is currently available for this medium-severity issue affecting Linux systems running on VMware or QEMU with vmmouse support.
A denial of service vulnerability in the Linux kernel's btrfs filesystem allows local users with standard privileges to cause a system crash by triggering transaction aborts on read-only mounted filesystems. An attacker can exploit this by mounting a malformed btrfs filesystem with rescue options, causing the kernel to abort transactions with error handling failures during unmount. No patch is currently available for this medium-severity vulnerability.
AMD GPU drivers on Linux systems fail to prevent MMIO register access during SMU Mode 1 reset, allowing incomplete PCIe transactions that can trigger NMI panics or system hangs. A local attacker with driver interaction capabilities could exploit this to cause a denial of service by accessing registers while the device is offline. The vulnerability affects Linux kernel implementations with AMD PM functionality and currently lacks an available patch.
A data-race condition in the Linux kernel bonding driver's slave->last_rx field can be accessed without proper synchronization, potentially causing a denial of service on systems using bonded network interfaces. Local attackers with limited privileges can trigger the race condition to cause system instability or crashes. A patch is not currently available, and exploitation requires specific timing conditions.
Linux kernel swap handling can cause a kernel panic under heavy memory pressure when arch_prepare_to_swap fails due to read-only swap address space restrictions introduced in a prior commit. A local attacker with user privileges can trigger this denial of service condition during memory reclamation operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g.
In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.
A buffer overflow in the Linux kernel's ALSA USB audio driver allows local attackers with user privileges to write beyond allocated URB buffers by crafting malicious audio parameters with mismatched packet sizes and frame counts. An attacker can trigger out-of-bounds memory corruption, potentially achieving privilege escalation or denial of service. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count.
A memory leak in the Linux kernel's SMB/CIFS client implementation allows local attackers with unprivileged access to exhaust kernel memory and cause a denial of service by triggering failed file operations on read-only mounted shares. An attacker can exploit this by repeatedly attempting to write files to a read-only CIFS mount, causing memory allocated for SMB requests to not be properly freed. The vulnerability persists until the cifs kernel module is unloaded, and currently lacks a public patch.
In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`.
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route.
{++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0x12a/0x250 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}: __lock_acquire+0x1509/0x26d0 lock_acquire+0x185/0x340 down_read+0x98/0x490 blkdev_read_iter+0x2a7/0x4e0 __kernel_read+0x39a/0xa90 freader_fetch+0x1d5/0xa80 __build_id_parse.isra.0+0xea/0x6a0 do_procmap_query+0xd75/0x1050 procfs_procmap_ioctl+0x7a/0xb0 __x64_sys_ioctl+0x18e/0x210 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&sb->s_type->i_mutex_key#8); lock(&mm->mmap_lock); rlock(&sb->s_type->i_mutex_key#8); *** DEADLOCK *** This seems to be exacerbated (as we haven't seen these syzbot reports before that) by the recent: 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context") To make this safe, we need to grab file refcount while VMA is still locked, but other than that everything is pretty straightforward.
In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error.
Memory leak in AMD ASoC PDM DMA operations allows local attackers with user-level privileges to cause denial of service through resource exhaustion on affected Linux systems. The vulnerability persists as no patch is currently available, leaving vulnerable systems at continued risk of system instability or crash from cumulative memory consumption.
A null pointer dereference in the CephFS kernel client's MDS authentication matching function (ceph_mds_auth_match()) allows local attackers with low privileges to cause a denial of service by crashing the kernel when the mds_namespace mount option is not specified. This regression affects Linux kernel versions 6.18-rc1 and later, impacting systems using CephFS with default mount configurations. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume reset deadlock rtl8152 can trigger device reset during reset which potentially can result in a deadlock: **** DPM device timeout after 10 seconds; 15 seconds until panic **** Call Trace: <TASK> schedule+0x483/0x1370 schedule_preempt_disabled+0x15/0x30 __mutex_lock_common+0x1fd/0x470 __rtl8152_set_mac_address+0x80/0x1f0 dev_set_mac_address+0x7f/0x150 rtl8152_post_reset+0x72/0x150 usb_reset_device+0x1d0/0x220 rtl8152_resume+0x99/0xc0 usb_resume_interface+0x3e/0xc0 usb_resume_both+0x104/0x150 usb_resume+0x22/0x110 The problem is that rtl8152 resume calls reset under tp->control mutex while reset basically re-enters rtl8152 and attempts to acquire the same tp->control lock once again.
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
The Linux kernel's acpi_power_meter driver contains a deadlock vulnerability in its notify callback function that can cause a denial of service when device removal races with sysfs attribute access. A local user with privileges to trigger power meter notifications can exploit this to hang or crash the system. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max".
In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak.
In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command.
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held.
In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment.
In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully.
In the Linux kernel, the following vulnerability has been resolved: nvme-pci: handle changing device dma map requirements The initial state of dma_needs_unmap may be false, but change to true while mapping the data iterator. Enabling swiotlb is one such case that can change the result.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB.
CVE-2025-71223 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes).
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents.