CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Linux kernel, a vulnerability was found in the IOMMU driver for RISC-V architecture on the invalidation path. When gather->end reaches ULONG_MAX, an overflow causes an infinite loop. Additionally, incorrect length calculation (moving +1 to the other side of <) may lead to operational errors.
In the Linux kernel, a vulnerability was found in the FUSE filesystem where fuse_dentry_revalidate() may be called with a dentry having uninitialized ->d_time field. The issue was discovered by KMSAN and could lead to reading uninitialized memory.
In the Linux kernel, a vulnerability in the SoC Tegra CBB subsystem uses an incorrect base address when looking up the target timeout for an error occurring on a different fabric, causing a kernel page fault and potential system crash.
In the Linux kernel, an off-by-one vulnerability was found in the OCFS2 filesystem's dlm_match_regions() function. The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of the qr_regions array. Other loops in the same function correctly use '<'.
In the Linux kernel, the max77705 driver leaks memory by not destroying the workqueue on remove() and has a flawed resource release order. Interrupt handlers registered via devm may schedule work on a freed workqueue, leading to use-after-free.
In the Linux kernel pinctrl subsystem (pinconf-generic), a vulnerability was found due to incomplete validation of the 'pinmux' property in the device tree. The pinconf_generic_parse_dt_pinmux() function assumes the 'pinmux' property is not empty when present, which can cause the allocator to return a special value instead of NULL, leading to a crash when accessing invalid memory.
In the Linux kernel's hvc_iucv driver, an off-by-one vulnerability was found in the number of supported devices. When the hvc_iucv_devices counter reaches 8, the code may access hvc_iucv_table[8], which is out of bounds (the array has 8 elements indexed 0-7).
A bug in the Linux kernel's USB Type-C PS883X driver causes an Oops when unbinding the device. The issue is due to missing i2c_set_clientdata() in the probe function, leading to a NULL pointer dereference in the remove function.
A vulnerability in the Linux kernel's SCSI sg driver allows a soft lockup by setting a negative value for the def_reserved_size parameter via sysfs. The issue stems from missing validation when the parameter is modified directly through /sys/module/sg/parameters/def_reserved_size.
In the Linux kernel, a vulnerability in the F2FS filesystem was found where f2fs_sbi_show() reads extension_list, extension_count, and hot_ext_count without holding sb_lock. Concurrent modification via sysfs can lead to inconsistent reads, potentially causing out-of-bounds access or displaying stale data.
In the Linux kernel, the EIP93 crypto driver's eip93_hmac_setkey() function allocated a temporary ahash transform using the CRYPTO_ALG_ASYNC mask, which excludes async algorithms. Since EIP93 algorithms are inherently async, the lookup always failed, leaving digest fields uninitialized and causing a NULL pointer dereference and kernel panic.
In the Linux kernel, a vulnerability was found in the reset driver for Amlogic T7 SoCs. Missing reset operations cause a null pointer dereference in the kernel, potentially leading to system crashes. Currently, reset is not used on this SoC.
A use-after-free vulnerability was found in the Linux kernel's enetc network driver, related to DMA buffer handling in the NTMP mechanism. The bug can lead to silent memory corruption when a freed DMA buffer is reused by hardware.
In the Linux kernel, a vulnerability was found in the airoha network driver. Early initialization of the ndesc variable in airoha_qdma_init_tx_queue() causes a NULL pointer dereference in airoha_qdma_cleanup_tx_queue() when queue entry list allocation fails.
In the Linux kernel network driver for Airoha chips, a NULL pointer dereference vulnerability was found. It occurs when queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue(), and then airoha_qdma_cleanup() tries to delete RX queue NAPI even though netif_napi_add() was never called. The issue is caused by early initialization of the ndesc variable, which is used to check if the queue is properly initialized.
In the Linux kernel, the MANA network driver is vulnerable to a double invocation of mana_remove(). If PM resume fails, mana_probe() calls mana_remove(), which nullifies context pointers. On subsequent driver unbind, a second mana_remove() call dereferences a NULL pointer, causing a kernel panic.
In the Linux kernel, the mailbox-test driver fails to free channels on probe error, causing a memory leak and potential use-after-free (UAF) scenarios because the client structure is removed automatically by devm.
A sanity check for the channel array was added in the Linux kernel mailbox driver. Without it, a missing channel array could cause a NULL pointer dereference and kernel OOPS, especially during early initialization.
In the Linux kernel, the mailbox-test driver has a double-free vulnerability when the RX channel is aliased to the TX channel with different MMIO. Freeing both channels triggers the bug.
In the Linux kernel, multiple bugs were found in the amdgpu driver's AMDGPU_INFO_READ_MMR_REG function. Issues include incorrect lock ordering (reset semaphore and mm_lock), memory allocation while holding the reset semaphore, and using down_read_trylock() instead of waiting for reset completion.

