CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel, the ksmbd module is vulnerable to a remotely triggerable NULL-dereference bug. The functions smb2_oplock_break_noti() and smb2_lease_break_noti() read the opinfo->conn pointer without READ_ONCE() or NULL check, allowing a concurrent SMB2 LOGOFF to set it to NULL and cause a kernel oops.
In the Linux kernel IPVS module, a vulnerability was found where during service editing (ip_vs_edit_service), the pointer to the old scheduler (svc->scheduler) was cleared only after the scheduler module initiated RCU callbacks. This could lead to using the old scheduler after its data (sched_data) was freed after the RCU grace period, causing errors or crashes.
In the Linux kernel, a vulnerability was found in the synproxy mechanism due to missing synchronization when registering netfilter hooks on demand. When multiple users add the first iptables rules or nftables expressions concurrently, a race condition can occur in the reference counter. A mutex has been added to serialize access to the reference count control blocks from both frontends.
In the Linux kernel, the netfilter conntrack_irc module has a vulnerability allowing an out-of-bounds read. The issue occurs when parsing fails after matching a command string, and the system attempts to match a different command instead of bailing out.
A vulnerability in the Linux kernel netfilter nft_ct module causes a stack buffer overflow when a rule sets a CT zone and then reads the original source address, treating a temporary CT template as a real CT entry. This can lead to kernel stack corruption and system crash.
A vulnerability was found in the Linux kernel's netfilter bridge module, specifically in the ebt_snat target. The skb_store_bits() function writing the ARP sender hardware address may operate on nonlinear skb fragments, leading to writes in unintended memory areas. Lack of writeability check before the operation can cause data corruption.
A vulnerability in the Linux kernel's dm-cache SMQ policy was found. Missing synchronization of the allocation flag check (e->allocated) outside the mq->lock allows a race condition between concurrent invalidation operations, potentially corrupting queue or hash table structures.
A race condition was found in the Linux kernel between NEWTFILTER and DELFILTER operations in the net/sched/act_api subsystem. Concurrent execution could cause a use-after-free (UAF) of the tc_action structure because memory was freed immediately without RCU deferral. The patch restores deferred freeing via call_rcu(), eliminating the vulnerability.
A vulnerability in the Linux kernel's 6LoWPAN multicast address compression function contains an off-by-one error. This overwrites the RIID field and leaks uninitialized kernel stack memory over the network.
A Use-After-Free (UAF) vulnerability was found in the Linux kernel's L2TP PPPoL2TP driver. The pppol2tp_ioctl() function accessed the session pointer without proper locking or reference counting, allowing a race condition during copy_from_user(). The fix securely fetches the session reference using an RCU-safe, refcounted helper.
In the Linux kernel, a vulnerability in the devlink mechanism causes a nested relation to not be released when a devlink instance fails before registration. This results in a memory leak of the devlink->rel structure.
A vulnerability was found in the Linux kernel's TCP stack in reqsk_queue_hash_req(), where preemption between mod_timer() and refcount_set() causes a refcount underflow on the request_sock structure, leading to use-after-free and system crash.
A use-after-free vulnerability was found in the Linux kernel's IPv6 anycast implementation, where an anycast address (aca) could be inserted into the global hash after the device teardown had already removed it from the interface list, leading to a dangling pointer. The fix moves the hash insertion under the idev->lock to ensure atomicity with device removal.
A memory leak in the Linux kernel's Wi-Fi subsystem has been identified during 6 GHz scanning. The rdev->int_scan_req object is not freed when cfg80211_scan() fails because rdev->scan_req remains NULL, preventing proper memory release in ___cfg80211_scan_done().
In the Linux kernel, a vulnerability in the cfg80211 subsystem could cause a crash in mac80211 when eht_cap is set but eht_oper is missing. Consistency enforcement for HE/EHT elements has been added to prevent this.
A use-after-free vulnerability was found in the Linux kernel's Bluetooth RFCOMM subsystem in the rfcomm_connect_ind() function. The issue stems from missing reference counting on the listening socket after leaving the rfcomm_sk_list lock, allowing a race condition with socket closure and potential exploitation.
In the Linux kernel Bluetooth stack, an out-of-bounds read vulnerability was found in tlv_data_is_valid(). A malformed MGMT_OP_ADD_ADVERTISING request can cause reading one byte past the allocated buffer, as reported by KASAN.
In the Linux kernel, a vulnerability in Bluetooth RFCOMM MCC handlers fails to validate skb length before accessing data. A remote attacker can send truncated MCC frames, triggering out-of-bounds reads.
A vulnerability was found in the Linux kernel's Bluetooth BNEP subsystem due to missing frame length validation before parsing. A remote attacker can send a short BNEP SDU frame, causing a slab-out-of-bounds read and potentially system instability.
A memory leak in the error path of hci_alloc_dev() in the Linux kernel was fixed. When Bluetooth HCI UART device initialization fails before registration, the HCI_UNREGISTER flag is not set, bypassing hci_release_dev() and leaking SRCU percpu memory. The fix explicitly calls cleanup_srcu_struct() in the unregistered branch of bt_host_release().

