CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Intel IPU6 driver for the Linux kernel, an error pointer dereference was detected in the ipu6_pci_probe() function. In an error path, isp->psys is confirmed to be an error pointer (ERR_PTR) not NULL, leading to dereferencing of an invalid pointer. The issue was reported by Smatch.
In the Linux kernel's videobuf2 subsystem, the vb2_dma_sg_mmap function was missing VMA flags (VM_DONTEXPAND and VM_DONTDUMP), causing a WARN_ON during mmap of dma-buf in the Apple ISP driver. The patch adds these flags to align with vb2_dma_contig behavior.
In the Linux kernel, a NULL pointer dereference occurs in the VSP1 driver for Renesas hardware when unloading the module on gen 4 platforms. The issue is caused by calling the wrong cleanup function (vsp1_drm_cleanup instead of vsp1_vspx_cleanup).
In the Linux kernel, the staging driver rtl8723bs has a vulnerability where the return value of kzalloc_flex() in rtw_cbuf_alloc is not checked, leading to a potential NULL pointer dereference if memory allocation fails.
In the Linux kernel, the restriction allowing only a single open of /sys/fs/selinux/policy has been removed. Previously, any process could block others from reading the SELinux policy, posing a security issue. The patch eliminates the policy_opened flag and shortens the critical section with the policy mutex.
A race condition was found in the Linux kernel's pseries/papr-hvpipe module between the ioctl/release handlers and interrupt handling. If an interrupt fires on the same CPU while these handlers are executing, a deadlock can occur.
In the Linux kernel, the libwx driver uses request_threaded_irq() with a primary handler but no threaded handler, while setting IRQF_ONESHOT flag, triggering a kernel warning since commit aef30c8d569c. The fix replaces it with request_irq() and removes the unnecessary flag.
In the Linux kernel, a vulnerability in the s3c64xx SPI driver was found. Moving DMA channel allocation from probe() to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from remove(), causing a NULL-pointer dereference on driver unbind.
In the Linux kernel, a race condition in KVM x86's posted interrupt handling can cause the highest pending interrupt to be incorrectly reported. This occurs when the sender's atomic operations (setting PIR and PID.ON) interleave with the receiver's sync, leading to a spurious warning and unnecessary L2 VM-Enter/VM-Exit cycles.
In the Linux kernel, a vulnerability in the PM Domain (genpd) subsystem was found. The missing pm_runtime_disable() call when detaching virtual devices leaves runtime PM enabled, potentially causing critical errors like NULL pointer dereference.
In the Linux kernel, the CAAM cryptographic driver leaks HMAC key bytes via hex dumps in hash_digest_key(). Using print_hex_dump() instead of print_hex_dump_devel() exposes sensitive key material at runtime when CONFIG_DYNAMIC_DEBUG is enabled.
A vulnerability in the Linux kernel's EFI page fault handling was introduced by FPU changes (commit d02198550423). kernel_fpu_begin() now disables softirqs via local_bh_disable(), causing in_interrupt() to return true during EFI runtime calls. This makes efi_crash_gracefully_on_page_fault() always bail out, turning firmware page faults into a kernel panic and system freeze instead of graceful recovery.
In the txgbe driver for copper NICs with external PHY, a missing RTNL lock during PHY disconnection on module removal triggers an RTNL assertion warning in phylink_disconnect_phy().
In the qcom-lpg LED driver in the Linux kernel, array bounds checking was missing when selecting high resolution values. The FIELD_GET() macro extracted a 3-bit register value, but the array had only 5 entries, potentially causing out-of-bounds read.
In the Linux kernel, a vulnerability causes a system crash during early boot when kernel command-line parameters (hugepages, hugepagesz, default_hugepagesz) are specified without the '=' separator. The hugetlb_add_param() function calls strlen() on a NULL value, leading to a pointer dereference and crash.
In the Linux kernel TPM driver, a vulnerability was found where tpm_dev_release() uses plain kfree() instead of kfree_sensitive() to free the auth session structure. This leaves sensitive cryptographic material such as HMAC session keys, nonces, and passphrase data in non-zeroed memory.
In the Linux kernel, the admv1013 frequency driver has a NULL pointer dereference vulnerability. When device_property_read_string() fails, the str variable remains uninitialized, and the code proceeds to strcmp(str, ...), dereferencing garbage memory.
In the Linux kernel, a null pointer dereference was found in the Imagination (powervr) DRM driver when updating the ftrace trace mask. This causes a segfault and can lead to system crash.
In the Linux kernel amdgpu driver, a bug causes a system crash during initialization of RDNA4 GPUs (e.g., RX 9070 XT). The issue occurs when amdgpu_ttm_init_on_chip() calls ttm_range_man_init() with zero size for absent GDS, GWS, and OA resources, triggering a DRM_MM_BUG_ON assertion and kernel panic. The fix adds an early return when size is zero, skipping TTM resource manager registration for non-existent hardware.
In versions from 2.3.1 to before 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server logs include the TLS private key password in plaintext. This allows an attacker with access to the logs to recover the password.

