CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel, a vulnerability was found where it attempts to set up PHY-driven SFP cages when using the generic genphy driver. This leads to a deadlock on the RTNL lock because for genphy, PHY probing runs under RTNL, unlike other drivers.
In the Linux kernel, a slab-out-of-bounds vulnerability was found in the mlx5 driver's mlx5_query_nic_vport_mac_list function. The firmware command buffer is sized based on PF capabilities, but querying a VF with a larger configuration causes the response to overflow the buffer.
In the mlx5e driver for Mellanox network cards, a DMA memory and XDP frame leak was discovered. When sending an XDP_TX packet in XSK mode, if the hardware queue is full, the function does not free the allocated frame or unmap the DMA address, leading to resource leakage.
In the Linux kernel, a vulnerability in the SIT (Simple Internet Transition) IPv6 module uses a stale inner IPv6 header pointer after GSO offloads. The ipip6_tunnel_xmit() function caches the pointer at entry, but iptunnel_handle_offloads() may relocate the skb buffer, causing reads from freed memory.
In the Linux kernel, the Open vSwitch module has a vulnerability where kfree_skb can be called on an ERR_PTR pointer. This occurs when the reply buffer allocation happens after locking the mutex, and on failure the pointer is not cleared, leading to an attempt to free an invalid pointer.
In the Linux kernel GPIO driver for Rockchip, a memory leak of generic IRQ chips occurs on driver removal. The chips are not freed, potentially leading to use-after-free and kernel crash.
A vulnerability was found in the Linux kernel's SCTP stack in the __sctp_rcv_asconf_lookup() function. An unauthenticated peer can send a truncated ASCONF chunk that declares an IPv6 address but ends after the parameter header, causing uninitialized memory to be read.
In the Linux kernel, sctp_unpack_cookie() lacked validation of the embedded INIT chunk length and address list length in SCTP cookies. A truncated INIT or oversized address list can cause out-of-bounds reads.
A vulnerability in the Linux kernel's timestamp cmsg handling for AF_PACKET sockets was found. The incorrect assumption that the PACKET_OUTGOING flag uniquely identifies error queue packets allows reading AF_PACKET control buffer state as sock_exterr_skb, potentially leading to memory disclosure or kernel panic.
In the Linux kernel, the ptp_ocp driver has a vulnerability due to incorrect resource freeing order. Pin resources are freed before ptp_clock_unregister() is called, leading to a use-after-free condition during driver removal.
In the Linux kernel, a bug was found in the vti6_tnl_lookup() function causing incorrect tunnel matching for IP6_VTI. During wildcard tunnel fallback search, missing checks allowed hash collisions to match tunnels without actual wildcard addresses.
In the Linux kernel, a vulnerability was found in netfilter where ebt_redirect_tg() dereferences br_port_get_rcu() return without NULL check, causing kernel panic when the bridge port is removed between hook invocation and NFQUEUE reinject. Userspace could also move the device to a different virtual interface, requiring packet drop.
In the Linux kernel netfilter/x_tables subsystem, a vulnerability allows leaking percpu counter pointers. During rule copy to userspace, a page fault may leave the raw percpu pointer in the user buffer before the sanitized counter is written.
In the Linux kernel, a vulnerability in the netfilter nft_exthdr module causes the register bitmap to mark more bytes as initialized than actually written when the F_PRESENT flag is set. If priv->len exceeds 4 bytes, registers beyond the first retain uninitialized stack data, leading to information disclosure.
In the Linux kernel, the mvpp2 driver had a DMA synchronization bug for received packets. The CPU sync function started at an incorrect offset, missing data at the packet tail and syncing unused headroom. On non-coherent DMA systems, this can cause the CPU to read stale cache contents.
In the Linux kernel, the mvpp2 driver incorrectly initializes the XDP frame size (frame_sz) to PAGE_SIZE instead of the actual RX buffer size from the BM pool. This allows bpf_xdp_adjust_tail() to grow a packet beyond the allocated buffer, causing memory corruption.
In the Linux kernel, a vulnerability in the mvpp2 driver allows an RX buffer to be returned to the BM pool after being handed to XDP or skb, causing use-after-free. The fix reorders operations to refill the BM pool before handing the buffer to XDP or skb.
A vulnerability was found in the Linux kernel's cleanup_prefix_route() function for IPv6. The addrconf_get_prefix_route() function can return the fib6_null_entry sentinel with a NULL fib6_table pointer, causing a NULL pointer dereference (NPD) when setting the route expiration time. The fix adds a check before operating on the entry.
In the Linux kernel DRM vc4 driver, a memory leak was discovered due to improper use of krealloc(). Overwriting the original pointer without checking for NULL return value loses the reference to previously allocated memory if reallocation fails.
A use-after-free vulnerability was found in the Linux kernel's nft_tunnel module. The nft_tunnel_obj_destroy() function calls metadata_dst_free() which directly frees the metadata_dst memory, ignoring the dst_entry refcount. Packets that hold a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g., in a netem qdisc) are left with a dangling pointer, leading to use-after-free when dequeued.

