Skip to main content

Linux

12817 CVEs vendor

Monthly

CVE-2026-53194 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53193 HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53192 HIGH PATCH This Week

Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53191 HIGH PATCH This Week

Improper completion-flag handling in the Linux kernel's io_uring networking layer (io_uring/net) causes IORING_CQE_F_BUF_MORE to be dropped when a bundled recv operation retries while using incremental provided buffer rings (IOU_PBUF_RING_INC). Local applications using io_uring can be misled into advancing a buffer ring head past an entry the kernel is still using, leading to buffer reuse, data corruption, and potential information disclosure. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and a vendor patch is available across stable trees.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53190 MEDIUM PATCH This Month

Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. No public exploit is identified at time of analysis and EPSS sits at 0.18% (7th percentile), consistent with the absence from CISA KEV and the non-trivial conditions required to trigger repeated fence-wait failures.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53189 HIGH PATCH This Week

Use-after-free in the Linux kernel's transparent huge page code (mm/huge_memory) lets a local low-privileged process read freed folio state when __split_huge_pmd_locked() updates the file/shmem RSS counter only after dropping the PMD mapping's folio reference. On affected kernels (introduced around the 4.19 era through to fixes in 6.x/7.x stable trees), a final folio_put() can free the folio before mm_counter_file() inspects it via folio_test_swapbacked(), enabling reads of freed kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), consistent with a hard-to-win race rather than turnkey exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53188 HIGH PATCH This Week

Privilege/capability boundary bypass in the Linux kernel RDMA/core subsystem (ib_get_ucaps) lets a local low-privileged user masquerade as an authentic user-capability (ucap) character-device file descriptor. Because char and block devices share the dev_t namespace, the kernel previously validated only the device number, so a block device with a matching dev_t could be passed to ib_get_ucaps() to impersonate a legitimate ucap cdev and obtain RDMA capabilities the user should not hold. The fix validates the file's f_ops to accept only genuine cdevs. EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; a stable-tree vendor patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53187 HIGH PATCH This Week

Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53186 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's RDMA/SRP initiator (ib_srp) driver lets a malicious or compromised SRP storage target that an initiator has logged into trigger a kernel memory over-read by returning an SRP_RSP with SRP_RSP_FLAG_SNSVALID and an attacker-controlled 32-bit resp_data_len that is never validated against the bytes actually received. With resp_data_len near 0xFFFFFFFF the sense-copy source lands gigabytes past the receive buffer, faulting the kernel for a denial of service and potentially disclosing adjacent kernel memory into the sense buffer. No public exploit is identified at time of analysis and EPSS is low (0.18%), but exploitation requires the privileged position of a trusted SRP target on the InfiniBand/RoCE fabric.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53185 HIGH PATCH This Week

Use-after-free in the Linux kernel zram block-device driver allows local attackers to corrupt freed kernel page memory when a zram device is configured with a writeback (ZRAM_WB) backing device. The flaw is in zram_bvec_write_partial(), which passes its parent bio into zram_read_page(), causing the backing-device read to be dispatched asynchronously and return before completion; the buffer is then copied, rewritten, and freed while the in-flight read still writes into it. With a CVSS of 7.8 (high) but a low EPSS of 0.18% (7th percentile) and no public exploit identified at time of analysis, this is a memory-corruption primitive with potential for privilege escalation but no evidence of real-world abuse.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53184 HIGH PATCH This Week

Remote denial of service in the Linux kernel's UDP receive path affects systems where a UDP socket is placed in a BPF sockmap with an attached SK_SKB verdict program. Because skb->dev is repurposed as dev_scratch on the UDP path and never cleared before the verdict program runs, a verdict program that calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp) causes dev_net() to dereference a stale integer as a net_device pointer, triggering a general protection fault on a non-canonical address in softirq. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the flaw is fixed; impact is availability only (kernel crash), not the 'Information Disclosure' the input tags suggest.

Linux Canonical Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53183 HIGH PATCH This Week

Resource exhaustion in the Linux kernel's MPTCP (Multipath TCP) subsystem lets a remote peer drive incoming traffic past the receiver's configured rcvbuf size by breaking receive-window accounting. The defect arises because the TCP-level receive window is prevented from shrinking while the MPTCP-level window is independently constrained, so when data is acked at the TCP level but is out-of-order in MPTCP sequence space (or backlogged), the advertised MPTCP window is artificially inflated. EPSS is low (0.18%, 8th percentile), there is no public exploit identified at time of analysis and no KEV listing; the issue is corrected upstream and carries availability impact (CVSS A:H) despite a source 'Information Disclosure' tag.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53182 HIGH PATCH This Week

Heap buffer overflow in the Linux kernel's nl80211 WiFi configuration subsystem (cfg80211) allows a local user with network-configuration privileges to corrupt kernel memory by supplying an oversized EMA (Enhanced Multiple BSSID Advertisement) RNR element list. The parser nl80211_parse_rnr_elems() stores its element count in a u8 field and uses it to size a flexible-array allocation, so submitting 256 or more nested NL80211_ATTR_EMA_RNR_ELEMS attributes wraps the counter and produces an undersized allocation that is then overrun. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 8th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53181 MEDIUM PATCH This Month

The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. No public exploit identified at time of analysis; EPSS of 0.18% at the 8th percentile reflects low automated exploitation probability, consistent with the VMware-specific exposure requirement.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53180 HIGH PATCH This Week

Denial of service in the Linux kernel timer migration subsystem allows the global timer hierarchy to enter an indefinite livelock, hanging the affected CPU. The flaw is in tmigr_handle_remote_up(), where tmigr_handle_remote_cpu() skipped timer_expire_remote() for the local CPU on the assumption that the softirq path already serviced its timers; when jiffies advance between local timer processing and remote evaluation, a newly expired timer is never run and is re-queued with expires==now, spinning the goto-again loop forever. The CVSS 3.1 base score is 7.5 (availability only) but EPSS is just 0.18% (7th percentile), there is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53179 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's rtl8723bs staging Wi-Fi driver (Realtek RTL8723BS SDIO) lets a local low-privileged actor read past the intended information-element (IE) buffer. rtw_update_protection() receives a pointer already offset into the ies buffer while still being passed the full ie_length, so parsing walks beyond the valid data. There is no public exploit identified at time of analysis, EPSS risk is low (0.17%, 7th percentile), it is not in CISA KEV, and fixed kernel releases are available.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53178 HIGH PATCH This Week

Memory-safety flaw in the Linux kernel's staging rtl8723bs Realtek SDIO Wi-Fi driver allows an adjacent (radio-range) attacker to trigger an unsigned-integer underflow in the rtw_mlme information-element parsing path, leading to out-of-bounds reads that can disclose kernel memory or crash the system. The bug occurs because ie_length was not validated before fixed IE offsets were subtracted from it. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but a vendor (upstream kernel) fix is available.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53177 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53176 CRITICAL PATCH Act Now

Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. Because the login phase precedes iSCSI authentication, no credentials are required; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%).

Linux Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53175 CRITICAL PATCH Act Now

Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53174 HIGH PATCH This Week

Improper error handling in the Linux kernel's overlayfs (ovl) directory-iteration code causes ovl_iterate_merged() to return a truncated cache pointer as a bogus non-zero error code after a successful ovl_cache_get(). The flaw is reachable by a local user performing a getdents64/readdir on a stacked overlay-on-overlay mount, as demonstrated by a syzbot reproducer; there is no public exploit and it is not actively exploited. EPSS is very low (0.16%, 6th percentile), consistent with a hard-to-leverage local logic bug rather than a broadly weaponizable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53173 HIGH This Week

Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. No public exploit is identified at time of analysis, EPSS is low (0.16%), and an upstream fix has landed in the stable trees.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53172 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) lets a local user with access to the NPU device corrupt adjacent kernel heap memory. The command-stream parser masks the IFM region index with 0x7f (max 127) instead of 0x7 (max 7) like every other region assignment, so a crafted NPU_SET_IFM_REGION opcode with param > 7 indexes far past the 8-entry region_size[]/output_region[] arrays, writing up to ~1016 bytes beyond the allocation. No public exploit identified at time of analysis, and EPSS is low (0.16%), but the bug is a classic exploitable heap-overflow primitive in privileged kernel context.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53171 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53170 HIGH This Week

Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. There is no public exploit identified at time of analysis, EPSS is low (0.17%), and the issue is not in CISA KEV, but the rated CVSS of 8.8 reflects full host memory read/write potential via the DMA engine.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53169 MEDIUM PATCH This Month

Unbounded kernel log spam and conditional kernel panic in the Linux kernel's accel/ethosu Arm Ethos-U NPU driver allows any local unprivileged user with DRM device access to exhaust kernel log resources or crash the system. The driver's unimplemented NPU_OP_RESIZE command handler contains an unconditional WARN_ON(1) that fires every time userspace submits this operation via DRM_IOCTL_ETHOSU_GEM_CREATE. On systems where the panic_on_warn kernel parameter is enabled, this becomes a trivial denial-of-service primitive requiring only local DRM device access. No public exploit has been identified at time of analysis, and EPSS sits at the 5th percentile (0.15%), reflecting the niche hardware and non-default configuration requirements.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53168 MEDIUM PATCH This Month

Kernel crash via FUSE pagecache misuse in the Linux kernel allows a local low-privileged user controlling a FUSE daemon to trigger a WARN_ON() assertion in fuse_parse_cache() by sending FUSE_NOTIFY_STORE or FUSE_NOTIFY_RETRIEVE notifications targeting directory inodes instead of regular files, causing a denial-of-service kernel crash. The vulnerability specifically affects FUSE filesystems that have directory caching (FOPEN_CACHE_DIR) enabled, a non-default configuration that exposes kernel-internal pagecache storage to invalid manipulation. No public exploit has been identified, EPSS sits at 0.18% (7th percentile), and patches have been released across all active Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53167 MEDIUM PATCH This Month

Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). No public exploit has been identified at time of analysis and EPSS sits at 0.17% (6th percentile), reflecting minimal observed exploitation activity.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53166 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53165 HIGH PATCH This Week

Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. CVSS 7.5 reflects availability-only impact (A:H); EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53164 MEDIUM PATCH This Month

Kernel availability impact in Linux iommu/dma SWIOTLB subsystem allows a local low-privileged user to corrupt IOMMU mappings and trigger a kernel WARN_ON via Thunderbolt NVMe passthrough commands. The iommu_dma_iova_link_swiotlb() function fails to guard against zero-length middle segments in unaligned DMA mappings, causing iommu_map() to receive an illegal zero-size argument; the subsequent error unwind then starts from the wrong offset, corrupting the IOMMU page table state and firing WARN_ON at destruction. No active exploitation is confirmed (not in CISA KEV), and EPSS of 0.17% (6th percentile) signals negligible threat-actor interest, but the bug is reliably reproducible with commodity Thunderbolt NVMe hardware.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53163 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53162 HIGH PATCH This Week

Local privilege/availability weakness in the Linux kernel memory cgroup (memcg) subsystem stems from refill_stock() calling get_random_u32_below() for victim selection, a routine that is neither reentrant- nor NMI-safe. Because memcg charge draining can occur in NMI context, an NMI landing mid-update of the per-CPU batched_entropy_u32 ChaCha state could corrupt the random subsystem's per-CPU local_lock state. The fix replaces the random pick with a per-CPU round-robin counter serialized by the existing local_trylock; EPSS is very low (0.17%, 7th percentile), this is not in CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53161 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53160 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53159 MEDIUM PATCH This Month

Integer underflow in the Linux kernel fastrpc misc driver corrupts DMA addresses sent to Qualcomm DSPs, enabling a local low-privileged user to crash the DSP subsystem or induce a kernel panic. The flaw in fastrpc_get_args() affects all major stable kernel branches from 5.15 through 7.1-rc3 and is patched across multiple stable series. No public exploit exists and EPSS probability is 0.17% (7th percentile), indicating low real-world exploitation risk despite broad platform coverage.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53158 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53157 HIGH PATCH This Week

Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.

Memory Corruption Linux Use After Free Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53156 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Memory Corruption Linux Use After Free Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53155 MEDIUM PATCH This Month

Corrupted reverse-mapping (rmap) state in the Linux kernel's mm/huge_memory subsystem crashes or destabilizes affected systems through a flag misinterpretation in set_pmd_migration_entry() for device-private PMD entries. On x86-64 with CONFIG_MEM_SOFT_DIRTY enabled, the function incorrectly reads the softdirty bit as a write-permission flag - because _PAGE_SWP_SOFT_DIRTY aliases _PAGE_RW - causing migration entries to be marked writable when they should be read-only, ultimately triggering a VM_WARN assertion in __folio_add_anon_rmap() when an AnonExclusive folio reaches entire_mapcount=2. No public exploit exists and no active exploitation is confirmed; a vendor patch is available as of Linux 7.0.13 and 7.1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53154 MEDIUM PATCH This Month

Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53153 HIGH PATCH This Week

Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Linux Information Disclosure Enterprise Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53152 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53151 CRITICAL PATCH Act Now

Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. No public exploit identified at time of analysis; EPSS is low at 0.17% (7th percentile) and this is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53150 MEDIUM PATCH This Month

Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. No public exploit has been identified and EPSS is extremely low at 0.18% (8th percentile), indicating negligible opportunistic exploitation pressure despite the kernel's ubiquitous deployment footprint.

Integer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53149 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. It affects a broad range of stable kernel series and is fixed upstream; there is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.18% (7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53148 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel Thunderbolt/USB4 XDomain driver lets a malicious connected peer device corrupt kernel memory. In tb_xdp_properties_request(), the per-packet copy length is taken from the attacker-controlled response header without validating it against the previously kcalloc-allocated data buffer, so a peer advertising a length larger than data_length forces memcpy to write past the allocation. No public exploit identified at time of analysis and EPSS is low (0.18%), but the write-primitive nature (CWE-787) in kernel space makes it a meaningful local/physical attack surface on Thunderbolt-capable hosts.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53147 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53146 HIGH PATCH This Week

Information disclosure in the Linux kernel's Thunderbolt XDomain driver allows a malicious peer device to read stale kernel DMA-pool memory from prior transactions. The tb_xdomain_copy() function copies the full expected response_size from a received packet buffer without bounding it to the actual frame size, so a deliberately short response causes the kernel to leak adjacent buffer contents. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53145 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. No public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with a local-only, hard-to-win race rather than mass exploitation.

Linux Amd Information Disclosure Enterprise Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53144 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53143 HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53142 MEDIUM PATCH This Month

NULL pointer dereference in the Intel Xe GPU driver (drm/xe) causes a kernel panic during system suspend or shutdown when display hardware is disabled via hardware fuses rather than absent at initial probe. Systems running Linux 6.8 and later with Intel Xe GPUs in fuse-disabled display configurations are affected; a low-privileged local user can trigger an unplanned system crash by initiating suspend or shutdown. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as a reliability and local-denial-of-service issue rather than a broad security priority.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53141 MEDIUM PATCH This Month

Reference counting leaks in the Linux kernel's drm/v3d driver allow a local user to exhaust kernel memory and trigger a denial-of-service condition on systems equipped with Broadcom VideoCore VI GPUs (e.g., Raspberry Pi 4/5). The flaw exists across three code paths in the SET_GLOBAL and CLEAR_GLOBAL perfmon ioctls, as well as in the perfmon destroy path, each of which fails to release references acquired by v3d_perfmon_find(). No public exploit or active exploitation has been identified; EPSS probability stands at 0.17%, reflecting negligible automated exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53140 MEDIUM PATCH This Month

Memory exhaustion via vaddr leak in the Linux kernel's V3D DRM driver allows a local low-privileged user to degrade or deny service on systems equipped with Broadcom V3D GPUs. The function v3d_rewrite_csd_job_wg_counts_from_indirect() maps two buffer objects (indirect buffer and workgroup buffer) but takes an early return path - without releasing the vaddr mappings - whenever any workgroup count read from the indirect buffer is zero, permanently leaking both BO mappings per triggering job submission. No public exploit has been identified and EPSS sits at the 6th percentile (0.17%), consistent with the hardware-specific, local-only attack surface; this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53139 MEDIUM PATCH This Month

The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. Exploitation is constrained to Broadcom VideoCore VI hardware (Raspberry Pi 4/5 ecosystem); EPSS is 0.17% (6th percentile), no public exploit exists, and the vulnerability is absent from CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53138 HIGH PATCH This Week

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.

Linux Amd Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53137 HIGH PATCH This Week

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.

Memory Corruption Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53136 HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.

Memory Corruption Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53135 MEDIUM PATCH This Month

NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.

Linux Amd Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53134 MEDIUM PATCH This Month

{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53133 HIGH PATCH This Week

Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53132 HIGH PATCH This Week

Denial of service in the Linux kernel's virtio vsock transport allows a local actor to exhaust kernel memory by flooding the socket with zero-length packets flagged VIRTIO_VSOCK_SEQ_EOM, which bypass receive-buffer accounting and grow the skb receive queue without bound. The flaw affects the vsock/virtio guest-host communication path and carries CVSS 7.1 (A:H, scope-changed); EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis. Note a data conflict: the input tags it 'Information Disclosure', but the CVSS vector (C:N/I:N/A:H) and the description describe a memory-exhaustion availability issue, not disclosure.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53131 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (`xt_mac`, `ip6t_eui64`, the `bitmap:ip,mac`/`hash:ip,mac`/`hash:mac` ipset types, and `nf_log_syslog`) which call `eth_hdr(skb)` without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.17% (7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.4
EPSS
0.2%
CVE-2026-53130 HIGH PATCH This Week

Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. There is no public exploit identified at time of analysis, the EPSS score is low (0.18%), and it is not listed in CISA KEV; the fix has been backported across many stable kernel branches.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53129 HIGH PATCH This Week

Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. No public exploit identified at time of analysis; EPSS is low (0.16%, 5th percentile) and it is not on CISA KEV.

Memory Corruption Linux Use After Free Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53128 MEDIUM PATCH This Month

Kernel panic via RCU locking imbalance in the DRBD subsystem's drbd_adm_dump_devices() function affects Linux kernel versions from the introduction of commit a55bbd375d18 through multiple stable branches. A locally authenticated low-privilege user who can invoke DRBD administrative operations may trigger a kernel crash by exploiting the unbalanced rcu_read_unlock() call - called without a preceding rcu_read_lock() - leading to a denial-of-service via kernel instability. No public exploit exists and EPSS probability is 0.18% (8th percentile), indicating very low real-world exploitation activity.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53127 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: block: fix zones_cond memory leak on zone revalidation error paths When blk_revalidate_disk_zones() fails after disk_revalidate_zone_resources() has allocated args.zones_cond, the memory is leaked because no error path frees it.

Linux Information Disclosure
NVD VulDB
EPSS
0.1%
CVE-2026-53126 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Add the missing put_disk() on the error path in blkcg_maybe_throttle_current(). When blkcg lookup, blkg lookup, or blkg_tryget() fails, the function jumps to the out label which only calls rcu_read_unlock() but does not release the disk reference acquired by blkcg_schedule_throttle() via get_device(). Since current->throttle_disk is already set to NULL before the lookup, blkcg_exit() cannot release this reference either, causing the disk to never be freed. Restore the reference release that was present as blk_put_queue() in the original code but was inadvertently dropped during the conversion from request_queue to gendisk.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53125 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: md: fix array_state=clear sysfs deadlock When "clear" is written to array_state, md_attr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, md_attr_store() currently drops the mddev reference before calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs_break_active_protection() can become the last kobject reference protecting the md kobject. That allows sysfs_unbreak_active_protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs_drain() in the call chain. Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadata_version echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raid_disks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/array_state 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state The warning looks like: WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfs_remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40 ... Call Trace: kernfs_drain __kernfs_remove kernfs_remove_by_name_ns sysfs_remove_group sysfs_remove_groups __kobject_del kobject_put md_attr_store kernfs_fop_write_iter vfs_write ksys_write Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53124 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).

Linux Apple Information Disclosure
NVD VulDB
EPSS
0.1%
CVE-2026-53123 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: md: wake raid456 reshape waiters before suspend During raid456 reshape, direct IO across the reshape position can sleep in raid5_make_request() waiting for reshape progress while still holding an active_io reference. If userspace then freezes reshape and writes md/suspend_lo or md/suspend_hi, mddev_suspend() kills active_io and waits for all in-flight IO to drain. This can deadlock: the IO needs reshape progress to continue, but the reshape thread is already frozen, so the active_io reference is never dropped and suspend never completes. raid5_prepare_suspend() already wakes wait_for_reshape for dm-raid. Do the same for normal md suspend when reshape is already interrupted, so waiting raid456 IO can abort, drop its reference, and let suspend finish. The mdadm test tests/25raid456-reshape-deadlock reproduces the hang.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53122 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between reflink and transaction commit when using flushoncommit When using the flushoncommit mount option, we can have a deadlock between a transaction commit and a reflink operation that copied an inline extent to an offset beyond the current i_size of the destination node. The deadlock happens like this: 1) Task A clones an inline extent from inode X to an offset of inode Y that is beyond Y's current i_size. This means we copied the inline extent's data to a folio of inode Y that is beyond its EOF, using a call to copy_inline_to_page(); 2) Task B starts a transaction commit and calls btrfs_start_delalloc_flush() to flush delalloc; 3) The delalloc flushing sees the new dirty folio of inode Y and when it attempts to flush it, it ends up at extent_writepage() and sees that the offset of the folio is beyond the i_size of inode Y, so it attempts to invalidate the folio by calling folio_invalidate(), which ends up at btrfs' folio invalidate callback - btrfs_invalidate_folio(). There it tries to lock the folio's range in inode Y's extent io tree, but it blocks since it's currently locked by task A - during a reflink we lock the inodes and the source and destination ranges after flushing all delalloc and waiting for ordered extent completion - after that we don't expect to have dirty folios in the ranges, the exception is if we have to copy an inline extent's data (because the destination offset is not zero); 4) Task A then attempts to start a transaction to update the inode item, and then it's blocked since the current transaction is in the TRANS_STATE_COMMIT_START state. Therefore task A has to wait for the current transaction to become unblocked (its state >= TRANS_STATE_UNBLOCKED). So task A is waiting for the transaction commit done by task B, and the later waiting on the extent lock of inode Y that is currently held by task A. Syzbot recently reported this with the following stack traces: INFO: task kworker/u8:7:1053 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:7 state:D stack:23520 pid:1053 tgid:1053 ppid:2 task_flags:0x4208060 flags:0x00080000 Workqueue: writeback wb_workfn (flush-btrfs-46) Call Trace: <TASK> context_switch kernel/sched/core.c:5298 [inline] __schedule+0x1553/0x5240 kernel/sched/core.c:6911 __schedule_loop kernel/sched/core.c:6993 [inline] schedule+0x164/0x360 kernel/sched/core.c:7008 wait_extent_bit fs/btrfs/extent-io-tree.c:811 [inline] btrfs_lock_extent_bits+0x59c/0x700 fs/btrfs/extent-io-tree.c:1914 btrfs_lock_extent fs/btrfs/extent-io-tree.h:152 [inline] btrfs_invalidate_folio+0x43d/0xc40 fs/btrfs/inode.c:7704 extent_writepage fs/btrfs/extent_io.c:1852 [inline] extent_write_cache_pages fs/btrfs/extent_io.c:2580 [inline] btrfs_writepages+0x12ff/0x2440 fs/btrfs/extent_io.c:2713 do_writepages+0x32e/0x550 mm/page-writeback.c:2554 __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750 writeback_sb_inodes+0x995/0x19d0 fs/fs-writeback.c:2042 wb_writeback+0x456/0xb70 fs/fs-writeback.c:2227 wb_do_writeback fs/fs-writeback.c:2374 [inline] wb_workfn+0x41a/0xf60 fs/fs-writeback.c:2414 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> INFO: task syz.4.64:6910 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.64 state:D stack:22752 pid:6910 tgid: ---truncated---

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53121 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() On failure to set the epp, the function amd_pstate_epp_cpu_init() returns with an error code without freeing the cpudata object that was allocated at the beginning of the function. Ensure that the cpudata object is freed before returning from the function. This memory leak was discovered by Claude Opus 4.6 with the aid of Chris Mason's AI review-prompts (https://github.com/masoncl/review-prompts/tree/main/kernel).

Linux Amd Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53120 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: PCI: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53119 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: platform/wmi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53118 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: vdpa: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53117 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: s390/cio: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53116 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: s390/ap: use generic driver_override infrastructure When the AP masks are updated via apmask_store() or aqmask_store(), ap_bus_revise_bindings() is called after ap_attr_mutex has been released. This calls __ap_revise_reserved(), which accesses the driver_override field without holding any lock, racing against a concurrent driver_override_store() that may free the old string, resulting in a potential UAF. Fix this by using the driver-core driver_override infrastructure, which protects all accesses with an internal spinlock. Note that unlike most other buses, the AP bus does not check driver_override in its match() callback; the override is checked in ap_device_probe() and __ap_revise_reserved() instead. Also note that we do not enable the driver_override feature of struct bus_type, as AP - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Additionally, AP has a custom counter that is modified in the corresponding custom driver_override_store().

Linux Information Disclosure
NVD VulDB
EPSS
0.1%
CVE-2026-53115 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53114 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Calling perf_allow_kernel() from the NMI context is unsafe and could be fatal. Capture the permission at event-initialization time by storing it in event->hw.flags, and have the NMI handler rely on that cached flag instead of making the call directly.

Linux Amd Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53113 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix memory leaks in beacon template setup The functions ath11k_mac_setup_bcn_tmpl_ema() and ath11k_mac_setup_bcn_tmpl_mbssid() allocate memory for beacon templates but fail to free it when parameter setup returns an error. Since beacon templates must be released during normal execution, they must also be released in the error handling paths to prevent memory leaks. Fix this by using unified exit paths with proper cleanup in the respective error paths. Compile tested only. Issue found using a prototype static analysis tool and code review.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53112 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53111 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap The bpf_lwt_xmit_push_encap helper needs to access skb_dst(skb)->dev to calculate the needed headroom: err = skb_cow_head(skb, len + LL_RESERVED_SPACE(skb_dst(skb)->dev)); But skb->_skb_refdst may not be initialized when the skb is set up by bpf_prog_test_run_skb function. Executing bpf_lwt_push_ip_encap function in this scenario will trigger null pointer dereference, causing a kernel crash as Yinhao reported: [ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 105.186382] #PF: supervisor read access in kernel mode [ 105.186388] #PF: error_code(0x0000) - not-present page [ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0 [ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1 [ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.186427] RIP: 0010:bpf_lwt_push_ip_encap+0x1eb/0x520 [ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0 [ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246 [ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00 [ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500 [ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000 [ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98 [ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002 [ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000 [ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0 [ 105.186499] PKRU: 55555554 [ 105.186502] Call Trace: [ 105.186507] <TASK> [ 105.186513] bpf_lwt_xmit_push_encap+0x2b/0x40 [ 105.186522] bpf_prog_a75eaad51e517912+0x41/0x49 [ 105.186536] ? kvm_clock_get_cycles+0x18/0x30 [ 105.186547] ? ktime_get+0x3c/0xa0 [ 105.186554] bpf_test_run+0x195/0x320 [ 105.186563] ? bpf_test_run+0x10f/0x320 [ 105.186579] bpf_prog_test_run_skb+0x2f5/0x4f0 [ 105.186590] __sys_bpf+0x69c/0xa40 [ 105.186603] __x64_sys_bpf+0x1e/0x30 [ 105.186611] do_syscall_64+0x59/0x110 [ 105.186620] entry_SYSCALL_64_after_hwframe+0x76/0xe0 [ 105.186649] RIP: 0033:0x7f166a97455d Temporarily add the setting of skb->_skb_refdst before bpf_test_run to resolve the issue.

Linux Denial Of Service Debian
NVD VulDB
EPSS
0.2%
CVE-2026-53110 HIGH PATCH This Week

Memory-safety and information-disclosure risk in the Linux kernel s390 (IBM Z) eBPF JIT compiler stems from incomplete ABI compliance: the JIT sign-extended values but never zero-extended unsigned BPF program return values and kfunc arguments as the s390x calling convention requires. On s390x hosts, a local user able to load BPF programs can cause the JIT to emit code that leaves stale upper register bits, producing incorrect computation that can leak kernel data or corrupt execution. There is no public exploit identified at time of analysis, EPSS is low (0.16%), and the issue is not in CISA KEV; it is fixed in multiple stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53109 Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().

Linux IBM Information Disclosure Google
NVD VulDB
EPSS
0.2%
CVE-2026-53108 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix unmap race with PMD migration entries The following race is possible with migration swap entries or device-private THP entries. e.g. when move_pages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmd_present() is true). Then if an munmap happens at the same time, then this VM_BUG_ON() can happen in pmdp_huge_get_and_clear_full(). This patch fixes that. Thread A: move_pages() syscall add_folio_for_migration() mmap_read_lock(mm) folio_isolate_lru(folio) mmap_read_unlock(mm) do_move_pages_to_node() migrate_pages() try_to_migrate_one() spin_lock(ptl) set_pmd_migration_entry() pmdp_invalidate() # PMD: _PAGE_INVALID | _PAGE_PTE | pfn set_pmd_at() # PMD: migration swap entry (pmd_present=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW --> Thread B: munmap() mmap_write_downgrade(mm) unmap_vmas() -> zap_pmd_range() zap_huge_pmd() __pmd_trans_huge_lock() pmd_is_huge(): # !pmd_present && !pmd_none -> TRUE (swap entry) pmd_lock() -> # spin_lock(ptl), waits for Thread A to release ptl pmdp_huge_get_and_clear_full() VM_BUG_ON(!pmd_present(*pmdp)) # HITS! [ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdp_huge_get_and_clear_full+0x6c/0x23c lr: c000000000645dec: zap_huge_pmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irq_happened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zap_huge_pmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zap_huge_pmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmap_page_range+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmap_vmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmap_region+0xb4/0x128 [c00000044037fb50] c0000000005af400 vms_complete_munmap_vmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c do_vmi_align_munmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 __vm_munmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sys_munmap+0x2c/0x40 [c00000044037fe10] c000000000032668 system_call_exception+0x128/0x350 [c00000044037fe50] c00000000000d05c system_call_vectored_common+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from. ------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hash_pgtable.c:199 at hash__pmd_hugepage_update+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: test_hmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hash__pmd_hugepage_update+0x48/0x284 LR [c000000000096e7c] hash__pmdp_huge_get_and_clear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] set_pmd_migration_entry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migrate_vma_col ---truncated---

Linux IBM Information Disclosure Debian
NVD VulDB
EPSS
0.2%
CVE-2026-53107 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: don't kill URBs in interrupt context Serialization for the TX path was enforced by calling usb_kill_urb()/usb_kill_anchored_urbs(), to prevent transmission before a previous URB was completed. usb_tx_block() can be called from interrupt context (e.g. in the HCD giveback path), so we can't always use it to kill in-flight URBs. Prevent sleeping during interrupt context by checking the tx_submitted anchor for existing URBs. We now return -EBUSY, to indicate there's a pending request.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
CVE-2026-53106 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqs_disabled() is true, which, however is too heavy-handed for bpf_xxx_storage_delete(). The long-term solution requires _nolock versions of call_rcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal. The check is only needed in bpf_selem_unlink(), which is used by helpers and syscalls. bpf_selem_unlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant. [0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/

Linux Information Disclosure
NVD VulDB
EPSS
0.1%
CVE-2026-53105 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi Check for a NULL `vif` before accessing `ieee80211_vif_is_mld(vif)` to avoid a potential kernel panic in scenarios where `vif` might not be initialized.

Linux Information Disclosure
NVD VulDB
EPSS
0.2%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper completion-flag handling in the Linux kernel's io_uring networking layer (io_uring/net) causes IORING_CQE_F_BUF_MORE to be dropped when a bundled recv operation retries while using incremental provided buffer rings (IOU_PBUF_RING_INC). Local applications using io_uring can be misled into advancing a buffer ring head past an entry the kernel is still using, leading to buffer reuse, data corruption, and potential information disclosure. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and a vendor patch is available across stable trees.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. No public exploit is identified at time of analysis and EPSS sits at 0.18% (7th percentile), consistent with the absence from CISA KEV and the non-trivial conditions required to trigger repeated fence-wait failures.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's transparent huge page code (mm/huge_memory) lets a local low-privileged process read freed folio state when __split_huge_pmd_locked() updates the file/shmem RSS counter only after dropping the PMD mapping's folio reference. On affected kernels (introduced around the 4.19 era through to fixes in 6.x/7.x stable trees), a final folio_put() can free the folio before mm_counter_file() inspects it via folio_test_swapbacked(), enabling reads of freed kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), consistent with a hard-to-win race rather than turnkey exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege/capability boundary bypass in the Linux kernel RDMA/core subsystem (ib_get_ucaps) lets a local low-privileged user masquerade as an authentic user-capability (ucap) character-device file descriptor. Because char and block devices share the dev_t namespace, the kernel previously validated only the device number, so a block device with a matching dev_t could be passed to ib_get_ucaps() to impersonate a legitimate ucap cdev and obtain RDMA capabilities the user should not hold. The fix validates the file's f_ops to accept only genuine cdevs. EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; a stable-tree vendor patch is available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's RDMA/SRP initiator (ib_srp) driver lets a malicious or compromised SRP storage target that an initiator has logged into trigger a kernel memory over-read by returning an SRP_RSP with SRP_RSP_FLAG_SNSVALID and an attacker-controlled 32-bit resp_data_len that is never validated against the bytes actually received. With resp_data_len near 0xFFFFFFFF the sense-copy source lands gigabytes past the receive buffer, faulting the kernel for a denial of service and potentially disclosing adjacent kernel memory into the sense buffer. No public exploit is identified at time of analysis and EPSS is low (0.18%), but exploitation requires the privileged position of a trusted SRP target on the InfiniBand/RoCE fabric.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel zram block-device driver allows local attackers to corrupt freed kernel page memory when a zram device is configured with a writeback (ZRAM_WB) backing device. The flaw is in zram_bvec_write_partial(), which passes its parent bio into zram_read_page(), causing the backing-device read to be dispatched asynchronously and return before completion; the buffer is then copied, rewritten, and freed while the in-flight read still writes into it. With a CVSS of 7.8 (high) but a low EPSS of 0.18% (7th percentile) and no public exploit identified at time of analysis, this is a memory-corruption primitive with potential for privilege escalation but no evidence of real-world abuse.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Linux kernel's UDP receive path affects systems where a UDP socket is placed in a BPF sockmap with an attached SK_SKB verdict program. Because skb->dev is repurposed as dev_scratch on the UDP path and never cleared before the verdict program runs, a verdict program that calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp) causes dev_net() to dereference a stale integer as a net_device pointer, triggering a general protection fault on a non-canonical address in softirq. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the flaw is fixed; impact is availability only (kernel crash), not the 'Information Disclosure' the input tags suggest.

Linux Canonical Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Resource exhaustion in the Linux kernel's MPTCP (Multipath TCP) subsystem lets a remote peer drive incoming traffic past the receiver's configured rcvbuf size by breaking receive-window accounting. The defect arises because the TCP-level receive window is prevented from shrinking while the MPTCP-level window is independently constrained, so when data is acked at the TCP level but is out-of-order in MPTCP sequence space (or backlogged), the advertised MPTCP window is artificially inflated. EPSS is low (0.18%, 8th percentile), there is no public exploit identified at time of analysis and no KEV listing; the issue is corrected upstream and carries availability impact (CVSS A:H) despite a source 'Information Disclosure' tag.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap buffer overflow in the Linux kernel's nl80211 WiFi configuration subsystem (cfg80211) allows a local user with network-configuration privileges to corrupt kernel memory by supplying an oversized EMA (Enhanced Multiple BSSID Advertisement) RNR element list. The parser nl80211_parse_rnr_elems() stores its element count in a u8 field and uses it to size a flexible-array allocation, so submitting 256 or more nested NL80211_ATTR_EMA_RNR_ELEMS attributes wraps the counter and produces an undersized allocation that is then overrun. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 8th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. No public exploit identified at time of analysis; EPSS of 0.18% at the 8th percentile reflects low automated exploitation probability, consistent with the VMware-specific exposure requirement.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel timer migration subsystem allows the global timer hierarchy to enter an indefinite livelock, hanging the affected CPU. The flaw is in tmigr_handle_remote_up(), where tmigr_handle_remote_cpu() skipped timer_expire_remote() for the local CPU on the assumption that the softirq path already serviced its timers; when jiffies advance between local timer processing and remote evaluation, a newly expired timer is never run and is re-queued with expires==now, spinning the goto-again loop forever. The CVSS 3.1 base score is 7.5 (availability only) but EPSS is just 0.18% (7th percentile), there is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's rtl8723bs staging Wi-Fi driver (Realtek RTL8723BS SDIO) lets a local low-privileged actor read past the intended information-element (IE) buffer. rtw_update_protection() receives a pointer already offset into the ies buffer while still being passed the full ie_length, so parsing walks beyond the valid data. There is no public exploit identified at time of analysis, EPSS risk is low (0.17%, 7th percentile), it is not in CISA KEV, and fixed kernel releases are available.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory-safety flaw in the Linux kernel's staging rtl8723bs Realtek SDIO Wi-Fi driver allows an adjacent (radio-range) attacker to trigger an unsigned-integer underflow in the rtw_mlme information-element parsing path, leading to out-of-bounds reads that can disclose kernel memory or crash the system. The bug occurs because ie_length was not validated before fixed IE offsets were subtracted from it. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but a vendor (upstream kernel) fix is available.

Linux Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. Because the login phase precedes iSCSI authentication, no credentials are required; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%).

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper error handling in the Linux kernel's overlayfs (ovl) directory-iteration code causes ovl_iterate_merged() to return a truncated cache pointer as a bogus non-zero error code after a successful ovl_cache_get(). The flaw is reachable by a local user performing a getdents64/readdir on a stacked overlay-on-overlay mount, as demonstrated by a syzbot reproducer; there is no public exploit and it is not actively exploited. EPSS is very low (0.16%, 6th percentile), consistent with a hard-to-leverage local logic bug rather than a broadly weaponizable flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. No public exploit is identified at time of analysis, EPSS is low (0.16%), and an upstream fix has landed in the stable trees.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) lets a local user with access to the NPU device corrupt adjacent kernel heap memory. The command-stream parser masks the IFM region index with 0x7f (max 127) instead of 0x7 (max 7) like every other region assignment, so a crafted NPU_SET_IFM_REGION opcode with param > 7 indexes far past the 8-entry region_size[]/output_region[] arrays, writing up to ~1016 bytes beyond the allocation. No public exploit identified at time of analysis, and EPSS is low (0.16%), but the bug is a classic exploitable heap-overflow primitive in privileged kernel context.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. There is no public exploit identified at time of analysis, EPSS is low (0.17%), and the issue is not in CISA KEV, but the rated CVSS of 8.8 reflects full host memory read/write potential via the DMA engine.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unbounded kernel log spam and conditional kernel panic in the Linux kernel's accel/ethosu Arm Ethos-U NPU driver allows any local unprivileged user with DRM device access to exhaust kernel log resources or crash the system. The driver's unimplemented NPU_OP_RESIZE command handler contains an unconditional WARN_ON(1) that fires every time userspace submits this operation via DRM_IOCTL_ETHOSU_GEM_CREATE. On systems where the panic_on_warn kernel parameter is enabled, this becomes a trivial denial-of-service primitive requiring only local DRM device access. No public exploit has been identified at time of analysis, and EPSS sits at the 5th percentile (0.15%), reflecting the niche hardware and non-default configuration requirements.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash via FUSE pagecache misuse in the Linux kernel allows a local low-privileged user controlling a FUSE daemon to trigger a WARN_ON() assertion in fuse_parse_cache() by sending FUSE_NOTIFY_STORE or FUSE_NOTIFY_RETRIEVE notifications targeting directory inodes instead of regular files, causing a denial-of-service kernel crash. The vulnerability specifically affects FUSE filesystems that have directory caching (FOPEN_CACHE_DIR) enabled, a non-default configuration that exposes kernel-internal pagecache storage to invalid manipulation. No public exploit has been identified, EPSS sits at 0.18% (7th percentile), and patches have been released across all active Linux stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). No public exploit has been identified at time of analysis and EPSS sits at 0.17% (6th percentile), reflecting minimal observed exploitation activity.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. CVSS 7.5 reflects availability-only impact (A:H); EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel availability impact in Linux iommu/dma SWIOTLB subsystem allows a local low-privileged user to corrupt IOMMU mappings and trigger a kernel WARN_ON via Thunderbolt NVMe passthrough commands. The iommu_dma_iova_link_swiotlb() function fails to guard against zero-length middle segments in unaligned DMA mappings, causing iommu_map() to receive an illegal zero-size argument; the subsequent error unwind then starts from the wrong offset, corrupting the IOMMU page table state and firing WARN_ON at destruction. No active exploitation is confirmed (not in CISA KEV), and EPSS of 0.17% (6th percentile) signals negligible threat-actor interest, but the bug is reliably reproducible with commodity Thunderbolt NVMe hardware.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege/availability weakness in the Linux kernel memory cgroup (memcg) subsystem stems from refill_stock() calling get_random_u32_below() for victim selection, a routine that is neither reentrant- nor NMI-safe. Because memcg charge draining can occur in NMI context, an NMI landing mid-update of the per-CPU batched_entropy_u32 ChaCha state could corrupt the random subsystem's per-CPU local_lock state. The fix replaces the random pick with a per-CPU round-robin counter serialized by the existing local_trylock; EPSS is very low (0.17%, 7th percentile), this is not in CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer underflow in the Linux kernel fastrpc misc driver corrupts DMA addresses sent to Qualcomm DSPs, enabling a local low-privileged user to crash the DSP subsystem or induce a kernel panic. The flaw in fastrpc_get_args() affects all major stable kernel branches from 5.15 through 7.1-rc3 and is patched across multiple stable series. No public exploit exists and EPSS probability is 0.17% (7th percentile), indicating low real-world exploitation risk despite broad platform coverage.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Corrupted reverse-mapping (rmap) state in the Linux kernel's mm/huge_memory subsystem crashes or destabilizes affected systems through a flag misinterpretation in set_pmd_migration_entry() for device-private PMD entries. On x86-64 with CONFIG_MEM_SOFT_DIRTY enabled, the function incorrectly reads the softdirty bit as a write-permission flag - because _PAGE_SWP_SOFT_DIRTY aliases _PAGE_RW - causing migration entries to be marked writable when they should be read-only, ultimately triggering a VM_WARN assertion in __folio_add_anon_rmap() when an AnonExclusive folio reaches entire_mapcount=2. No public exploit exists and no active exploitation is confirmed; a vendor patch is available as of Linux 7.0.13 and 7.1.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Linux Information Disclosure Enterprise Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. No public exploit identified at time of analysis; EPSS is low at 0.17% (7th percentile) and this is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. No public exploit has been identified and EPSS is extremely low at 0.18% (8th percentile), indicating negligible opportunistic exploitation pressure despite the kernel's ubiquitous deployment footprint.

Integer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. It affects a broad range of stable kernel series and is fixed upstream; there is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.18% (7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel Thunderbolt/USB4 XDomain driver lets a malicious connected peer device corrupt kernel memory. In tb_xdp_properties_request(), the per-packet copy length is taken from the attacker-controlled response header without validating it against the previously kcalloc-allocated data buffer, so a peer advertising a length larger than data_length forces memcpy to write past the allocation. No public exploit identified at time of analysis and EPSS is low (0.18%), but the write-primitive nature (CWE-787) in kernel space makes it a meaningful local/physical attack surface on Thunderbolt-capable hosts.

Memory Corruption Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in the Linux kernel's Thunderbolt XDomain driver allows a malicious peer device to read stale kernel DMA-pool memory from prior transactions. The tb_xdomain_copy() function copies the full expected response_size from a received packet buffer without bounding it to the actual frame size, so a deliberately short response causes the kernel to leak adjacent buffer contents. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. No public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with a local-only, hard-to-win race rather than mass exploitation.

Linux Amd Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Intel Xe GPU driver (drm/xe) causes a kernel panic during system suspend or shutdown when display hardware is disabled via hardware fuses rather than absent at initial probe. Systems running Linux 6.8 and later with Intel Xe GPUs in fuse-disabled display configurations are affected; a low-privileged local user can trigger an unplanned system crash by initiating suspend or shutdown. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as a reliability and local-denial-of-service issue rather than a broad security priority.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference counting leaks in the Linux kernel's drm/v3d driver allow a local user to exhaust kernel memory and trigger a denial-of-service condition on systems equipped with Broadcom VideoCore VI GPUs (e.g., Raspberry Pi 4/5). The flaw exists across three code paths in the SET_GLOBAL and CLEAR_GLOBAL perfmon ioctls, as well as in the perfmon destroy path, each of which fails to release references acquired by v3d_perfmon_find(). No public exploit or active exploitation has been identified; EPSS probability stands at 0.17%, reflecting negligible automated exploitation interest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion via vaddr leak in the Linux kernel's V3D DRM driver allows a local low-privileged user to degrade or deny service on systems equipped with Broadcom V3D GPUs. The function v3d_rewrite_csd_job_wg_counts_from_indirect() maps two buffer objects (indirect buffer and workgroup buffer) but takes an early return path - without releasing the vaddr mappings - whenever any workgroup count read from the indirect buffer is zero, permanently leaking both BO mappings per triggering job submission. No public exploit has been identified and EPSS sits at the 6th percentile (0.17%), consistent with the hardware-specific, local-only attack surface; this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. Exploitation is constrained to Broadcom VideoCore VI hardware (Raspberry Pi 4/5 ecosystem); EPSS is 0.17% (6th percentile), no public exploit exists, and the vulnerability is absent from CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.

Linux Amd Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.

Memory Corruption Linux Amd +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.

Memory Corruption Linux Amd +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.

Linux Amd Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the Linux kernel's virtio vsock transport allows a local actor to exhaust kernel memory by flooding the socket with zero-length packets flagged VIRTIO_VSOCK_SEQ_EOM, which bypass receive-buffer accounting and grow the skb receive queue without bound. The flaw affects the vsock/virtio guest-host communication path and carries CVSS 7.1 (A:H, scope-changed); EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis. Note a data conflict: the input tags it 'Information Disclosure', but the CVSS vector (C:N/I:N/A:H) and the description describe a memory-exhaustion availability issue, not disclosure.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (`xt_mac`, `ip6t_eui64`, the `bitmap:ip,mac`/`hash:ip,mac`/`hash:mac` ipset types, and `nf_log_syslog`) which call `eth_hdr(skb)` without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.17% (7th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. There is no public exploit identified at time of analysis, the EPSS score is low (0.18%), and it is not listed in CISA KEV; the fix has been backported across many stable kernel branches.

Linux Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. No public exploit identified at time of analysis; EPSS is low (0.16%, 5th percentile) and it is not on CISA KEV.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via RCU locking imbalance in the DRBD subsystem's drbd_adm_dump_devices() function affects Linux kernel versions from the introduction of commit a55bbd375d18 through multiple stable branches. A locally authenticated low-privilege user who can invoke DRBD administrative operations may trigger a kernel crash by exploiting the unbalanced rcu_read_unlock() call - called without a preceding rcu_read_lock() - leading to a denial-of-service via kernel instability. No public exploit exists and EPSS probability is 0.18% (8th percentile), indicating very low real-world exploitation activity.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: block: fix zones_cond memory leak on zone revalidation error paths When blk_revalidate_disk_zones() fails after disk_revalidate_zone_resources() has allocated args.zones_cond, the memory is leaked because no error path frees it.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Add the missing put_disk() on the error path in blkcg_maybe_throttle_current(). When blkcg lookup, blkg lookup, or blkg_tryget() fails, the function jumps to the out label which only calls rcu_read_unlock() but does not release the disk reference acquired by blkcg_schedule_throttle() via get_device(). Since current->throttle_disk is already set to NULL before the lookup, blkcg_exit() cannot release this reference either, causing the disk to never be freed. Restore the reference release that was present as blk_put_queue() in the original code but was inadvertently dropped during the conversion from request_queue to gendisk.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: md: fix array_state=clear sysfs deadlock When "clear" is written to array_state, md_attr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, md_attr_store() currently drops the mddev reference before calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs_break_active_protection() can become the last kobject reference protecting the md kobject. That allows sysfs_unbreak_active_protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs_drain() in the call chain. Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadata_version echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raid_disks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/array_state 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state The warning looks like: WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfs_remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40 ... Call Trace: kernfs_drain __kernfs_remove kernfs_remove_by_name_ns sysfs_remove_group sysfs_remove_groups __kobject_del kobject_put md_attr_store kernfs_fop_write_iter vfs_write ksys_write Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).

Linux Apple Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: md: wake raid456 reshape waiters before suspend During raid456 reshape, direct IO across the reshape position can sleep in raid5_make_request() waiting for reshape progress while still holding an active_io reference. If userspace then freezes reshape and writes md/suspend_lo or md/suspend_hi, mddev_suspend() kills active_io and waits for all in-flight IO to drain. This can deadlock: the IO needs reshape progress to continue, but the reshape thread is already frozen, so the active_io reference is never dropped and suspend never completes. raid5_prepare_suspend() already wakes wait_for_reshape for dm-raid. Do the same for normal md suspend when reshape is already interrupted, so waiting raid456 IO can abort, drop its reference, and let suspend finish. The mdadm test tests/25raid456-reshape-deadlock reproduces the hang.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between reflink and transaction commit when using flushoncommit When using the flushoncommit mount option, we can have a deadlock between a transaction commit and a reflink operation that copied an inline extent to an offset beyond the current i_size of the destination node. The deadlock happens like this: 1) Task A clones an inline extent from inode X to an offset of inode Y that is beyond Y's current i_size. This means we copied the inline extent's data to a folio of inode Y that is beyond its EOF, using a call to copy_inline_to_page(); 2) Task B starts a transaction commit and calls btrfs_start_delalloc_flush() to flush delalloc; 3) The delalloc flushing sees the new dirty folio of inode Y and when it attempts to flush it, it ends up at extent_writepage() and sees that the offset of the folio is beyond the i_size of inode Y, so it attempts to invalidate the folio by calling folio_invalidate(), which ends up at btrfs' folio invalidate callback - btrfs_invalidate_folio(). There it tries to lock the folio's range in inode Y's extent io tree, but it blocks since it's currently locked by task A - during a reflink we lock the inodes and the source and destination ranges after flushing all delalloc and waiting for ordered extent completion - after that we don't expect to have dirty folios in the ranges, the exception is if we have to copy an inline extent's data (because the destination offset is not zero); 4) Task A then attempts to start a transaction to update the inode item, and then it's blocked since the current transaction is in the TRANS_STATE_COMMIT_START state. Therefore task A has to wait for the current transaction to become unblocked (its state >= TRANS_STATE_UNBLOCKED). So task A is waiting for the transaction commit done by task B, and the later waiting on the extent lock of inode Y that is currently held by task A. Syzbot recently reported this with the following stack traces: INFO: task kworker/u8:7:1053 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:7 state:D stack:23520 pid:1053 tgid:1053 ppid:2 task_flags:0x4208060 flags:0x00080000 Workqueue: writeback wb_workfn (flush-btrfs-46) Call Trace: <TASK> context_switch kernel/sched/core.c:5298 [inline] __schedule+0x1553/0x5240 kernel/sched/core.c:6911 __schedule_loop kernel/sched/core.c:6993 [inline] schedule+0x164/0x360 kernel/sched/core.c:7008 wait_extent_bit fs/btrfs/extent-io-tree.c:811 [inline] btrfs_lock_extent_bits+0x59c/0x700 fs/btrfs/extent-io-tree.c:1914 btrfs_lock_extent fs/btrfs/extent-io-tree.h:152 [inline] btrfs_invalidate_folio+0x43d/0xc40 fs/btrfs/inode.c:7704 extent_writepage fs/btrfs/extent_io.c:1852 [inline] extent_write_cache_pages fs/btrfs/extent_io.c:2580 [inline] btrfs_writepages+0x12ff/0x2440 fs/btrfs/extent_io.c:2713 do_writepages+0x32e/0x550 mm/page-writeback.c:2554 __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750 writeback_sb_inodes+0x995/0x19d0 fs/fs-writeback.c:2042 wb_writeback+0x456/0xb70 fs/fs-writeback.c:2227 wb_do_writeback fs/fs-writeback.c:2374 [inline] wb_workfn+0x41a/0xf60 fs/fs-writeback.c:2414 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> INFO: task syz.4.64:6910 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.64 state:D stack:22752 pid:6910 tgid: ---truncated---

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() On failure to set the epp, the function amd_pstate_epp_cpu_init() returns with an error code without freeing the cpudata object that was allocated at the beginning of the function. Ensure that the cpudata object is freed before returning from the function. This memory leak was discovered by Claude Opus 4.6 with the aid of Chris Mason's AI review-prompts (https://github.com/masoncl/review-prompts/tree/main/kernel).

Linux Amd Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: PCI: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: platform/wmi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: vdpa: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: s390/cio: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: s390/ap: use generic driver_override infrastructure When the AP masks are updated via apmask_store() or aqmask_store(), ap_bus_revise_bindings() is called after ap_attr_mutex has been released. This calls __ap_revise_reserved(), which accesses the driver_override field without holding any lock, racing against a concurrent driver_override_store() that may free the old string, resulting in a potential UAF. Fix this by using the driver-core driver_override infrastructure, which protects all accesses with an internal spinlock. Note that unlike most other buses, the AP bus does not check driver_override in its match() callback; the override is checked in ap_device_probe() and __ap_revise_reserved() instead. Also note that we do not enable the driver_override feature of struct bus_type, as AP - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Additionally, AP has a custom counter that is modified in the corresponding custom driver_override_store().

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Calling perf_allow_kernel() from the NMI context is unsafe and could be fatal. Capture the permission at event-initialization time by storing it in event->hw.flags, and have the NMI handler rely on that cached flag instead of making the call directly.

Linux Amd Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix memory leaks in beacon template setup The functions ath11k_mac_setup_bcn_tmpl_ema() and ath11k_mac_setup_bcn_tmpl_mbssid() allocate memory for beacon templates but fail to free it when parameter setup returns an error. Since beacon templates must be released during normal execution, they must also be released in the error handling paths to prevent memory leaks. Fix this by using unified exit paths with proper cleanup in the respective error paths. Compile tested only. Issue found using a prototype static analysis tool and code review.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap The bpf_lwt_xmit_push_encap helper needs to access skb_dst(skb)->dev to calculate the needed headroom: err = skb_cow_head(skb, len + LL_RESERVED_SPACE(skb_dst(skb)->dev)); But skb->_skb_refdst may not be initialized when the skb is set up by bpf_prog_test_run_skb function. Executing bpf_lwt_push_ip_encap function in this scenario will trigger null pointer dereference, causing a kernel crash as Yinhao reported: [ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 105.186382] #PF: supervisor read access in kernel mode [ 105.186388] #PF: error_code(0x0000) - not-present page [ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0 [ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1 [ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.186427] RIP: 0010:bpf_lwt_push_ip_encap+0x1eb/0x520 [ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0 [ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246 [ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00 [ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500 [ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000 [ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98 [ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002 [ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000 [ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0 [ 105.186499] PKRU: 55555554 [ 105.186502] Call Trace: [ 105.186507] <TASK> [ 105.186513] bpf_lwt_xmit_push_encap+0x2b/0x40 [ 105.186522] bpf_prog_a75eaad51e517912+0x41/0x49 [ 105.186536] ? kvm_clock_get_cycles+0x18/0x30 [ 105.186547] ? ktime_get+0x3c/0xa0 [ 105.186554] bpf_test_run+0x195/0x320 [ 105.186563] ? bpf_test_run+0x10f/0x320 [ 105.186579] bpf_prog_test_run_skb+0x2f5/0x4f0 [ 105.186590] __sys_bpf+0x69c/0xa40 [ 105.186603] __x64_sys_bpf+0x1e/0x30 [ 105.186611] do_syscall_64+0x59/0x110 [ 105.186620] entry_SYSCALL_64_after_hwframe+0x76/0xe0 [ 105.186649] RIP: 0033:0x7f166a97455d Temporarily add the setting of skb->_skb_refdst before bpf_test_run to resolve the issue.

Linux Denial Of Service Debian
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory-safety and information-disclosure risk in the Linux kernel s390 (IBM Z) eBPF JIT compiler stems from incomplete ABI compliance: the JIT sign-extended values but never zero-extended unsigned BPF program return values and kfunc arguments as the s390x calling convention requires. On s390x hosts, a local user able to load BPF programs can cause the JIT to emit code that leaves stale upper register bits, producing incorrect computation that can leak kernel data or corrupt execution. There is no public exploit identified at time of analysis, EPSS is low (0.16%), and the issue is not in CISA KEV; it is fixed in multiple stable releases.

Linux Information Disclosure
NVD VulDB
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().

Linux IBM Information Disclosure +1
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix unmap race with PMD migration entries The following race is possible with migration swap entries or device-private THP entries. e.g. when move_pages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmd_present() is true). Then if an munmap happens at the same time, then this VM_BUG_ON() can happen in pmdp_huge_get_and_clear_full(). This patch fixes that. Thread A: move_pages() syscall add_folio_for_migration() mmap_read_lock(mm) folio_isolate_lru(folio) mmap_read_unlock(mm) do_move_pages_to_node() migrate_pages() try_to_migrate_one() spin_lock(ptl) set_pmd_migration_entry() pmdp_invalidate() # PMD: _PAGE_INVALID | _PAGE_PTE | pfn set_pmd_at() # PMD: migration swap entry (pmd_present=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW --> Thread B: munmap() mmap_write_downgrade(mm) unmap_vmas() -> zap_pmd_range() zap_huge_pmd() __pmd_trans_huge_lock() pmd_is_huge(): # !pmd_present && !pmd_none -> TRUE (swap entry) pmd_lock() -> # spin_lock(ptl), waits for Thread A to release ptl pmdp_huge_get_and_clear_full() VM_BUG_ON(!pmd_present(*pmdp)) # HITS! [ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdp_huge_get_and_clear_full+0x6c/0x23c lr: c000000000645dec: zap_huge_pmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irq_happened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zap_huge_pmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zap_huge_pmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmap_page_range+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmap_vmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmap_region+0xb4/0x128 [c00000044037fb50] c0000000005af400 vms_complete_munmap_vmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c do_vmi_align_munmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 __vm_munmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sys_munmap+0x2c/0x40 [c00000044037fe10] c000000000032668 system_call_exception+0x128/0x350 [c00000044037fe50] c00000000000d05c system_call_vectored_common+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from. ------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hash_pgtable.c:199 at hash__pmd_hugepage_update+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: test_hmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hash__pmd_hugepage_update+0x48/0x284 LR [c000000000096e7c] hash__pmdp_huge_get_and_clear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] set_pmd_migration_entry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migrate_vma_col ---truncated---

Linux IBM Information Disclosure +1
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: don't kill URBs in interrupt context Serialization for the TX path was enforced by calling usb_kill_urb()/usb_kill_anchored_urbs(), to prevent transmission before a previous URB was completed. usb_tx_block() can be called from interrupt context (e.g. in the HCD giveback path), so we can't always use it to kill in-flight URBs. Prevent sleeping during interrupt context by checking the tx_submitted anchor for existing URBs. We now return -EBUSY, to indicate there's a pending request.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqs_disabled() is true, which, however is too heavy-handed for bpf_xxx_storage_delete(). The long-term solution requires _nolock versions of call_rcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal. The check is only needed in bpf_selem_unlink(), which is used by helpers and syscalls. bpf_selem_unlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant. [0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi Check for a NULL `vif` before accessing `ieee80211_vif_is_mld(vif)` to avoid a potential kernel panic in scenarios where `vif` might not be initialized.

Linux Information Disclosure
NVD VulDB
Prev Page 3 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy