CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel's io_uring/net subsystem, a vulnerability was found due to improper inheritance of the IORING_CQE_F_BUF_MORE flag during bundle recv retries. The flag was missing from the CQE_F_MASK, causing it to be dropped and leading to incorrect buffer management by userspace.
In the Linux kernel, a dma_fence refcount leak was found in the virtio-gpu driver. The function virtio_gpu_dma_fence_wait() fails to release the chain reference on early return from the loop on error, causing a memory leak.
In the Linux kernel, a vulnerability was found in __split_huge_pmd_locked() where the file/shmem RSS counter was updated after dropping the folio reference. If folio_put() released the last reference, subsequent reads of folio state by mm_counter_file() could access freed memory.
In the Linux kernel RDMA/core component, a vulnerability was found due to missing validation of the file operations structure (fops) in the ib_get_ucaps() function. An attacker can use a block device with the same device number (dev_t) to impersonate a legitimate ucap cdev device.
In the Linux kernel RDMA/core subsystem, the cpu_id attribute from user space is passed to cpumask_test_cpu() without validation, potentially causing an out-of-bounds read of the CPU bitmap. With CONFIG_DEBUG_PER_CPU_MAPS and panic_on_warn enabled, this can lead to a system reboot.
In the Linux kernel, the RDMA/SRP driver lacks validation of the sense data length copied from SRP_RSP responses. A malicious or compromised SRP target on InfiniBand/RoCE can set a large resp_data_len, causing an out-of-bounds read beyond the received buffer and potentially a page fault.
A use-after-free vulnerability was found in the zram_bvec_write_partial() function of the Linux kernel's zram driver. During partial write, the read from the backing device is performed asynchronously, and the buffer page is freed before the read completes, causing a write to freed memory.
In the Linux kernel, a vulnerability exists in the UDP receive path where skb->dev is repurposed as dev_scratch (state cache). When a UDP socket is in a sockmap, the SK_SKB verdict program may call a socket lookup helper (bpf_sk_lookup) that reads skb->dev as a net_device pointer, leading to a non-canonical address dereference and a general protection fault (GPF) in softirq context.
In the Linux kernel's MPTCP implementation, a vulnerability was found where the TCP receive window is artificially inflated. When data is acknowledged at the TCP level but is out-of-order in the MPTCP sequence space, the receive window cannot shrink, causing the receive buffer to be exceeded. The patch allows the TCP subflow to shrink the receive window regardless of network settings.
In the Linux kernel, a vulnerability was found in nl80211_parse_rnr_elems() where the element count is stored in an 8-bit field of the cfg80211_rnr_elems structure. Lack of proper validation before incrementing the counter may lead to buffer overflow when processing oversized EMA RNR lists.
In the Linux kernel, a leak of the sk_ack_backlog counter was found in the vsock/vmci driver during a failed handshake. This causes the counter to increase permanently, eventually blocking all new connections when the limit is reached.
A livelock vulnerability was found in the Linux kernel's timer migration mechanism in the tmigr_handle_remote_up() function. The issue stems from an incorrect assumption that the local softirq already handled the CPU's timers, causing timer_expire_remote() to be skipped and leading to an infinite loop.
In the Linux kernel, a buffer over-read vulnerability was found in the staging driver rtl8723bs in the rtw_update_protection function. The function is called with a pointer offset into the ies buffer but the full ie_length is passed, potentially causing a read beyond the allocated buffer.
In the Linux kernel, the rtl8723bs staging driver for Realtek WiFi chipsets lacks bounds checks before subtracting fixed IE offsets from ie_length, which can cause unsigned integer underflow.
In the Linux kernel, the bnxt_en driver has a NULL pointer dereference vulnerability. It occurs when PCIe error recovery runs on a closed network interface, and bnxt_io_error_detected() accesses the uninitialized bp->bnapi structure.
In the Linux kernel IB/isert driver, a missing lower bound check on iSER login PDU length allows a remote initiator to send a packet shorter than 76 bytes, causing signed integer underflow and out-of-bounds memory access, crashing the target node.
A use-after-free vulnerability was found in the Linux kernel's IP fragment reassembly mechanism. During network namespace teardown, fqdir_pre_exit() flushes fragment queues without resetting q->fragments_tail and q->last_run_head pointers, which still reference freed skb buffers. This can cause memory corruption when another thread resumes processing on an already flushed queue.
In the Linux kernel, a vulnerability was found in the overlayfs mechanism where ovl_iterate_merged() incorrectly stores PTR_ERR(cache) in the err variable before checking if cache is valid. On successful ovl_cache_get(), err holds a truncated pointer that can be returned as a bogus non-zero error, leading to incorrect directory read operations.
In the Linux kernel, the accel/ethosu driver has a heap out-of-bounds write vulnerability in ethosu_gem_cmdstream_copy_and_validate(). The command parsing loop fails to re-check the buffer bound after incrementing the index for 64-bit commands, allowing userspace to write past the allocated DMA buffer.
In the Linux kernel driver for Ethos-U accelerator (accel/ethosu), a vulnerability was found in the command stream parser. The NPU_SET_IFM_REGION function uses a 0x7f mask instead of 0x7, allowing out-of-bounds indexing of the region_size[] array (size 8). A userspace attacker can craft a call to write past the allocated buffer, corrupting adjacent kernel heap data.

