CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel, the accel/ethosu driver contains arithmetic issues in the dma_length() function. Incorrect arithmetic operations can cause integer overflows, bypassing GEM buffer access validation.
In the Linux kernel, the accel/ethosu driver has a vulnerability due to uninitialized DMA length. If userspace omits setting the DMA length before starting a transfer, the driver uses an uninitialized value (U64_MAX), leading to bypass of bounds checks and execution of DMA with stale physical addresses.
In the Linux kernel's accel/ethosu driver, the NPU_OP_RESIZE command, which is U85-only, is not yet implemented. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, it triggers a WARN_ON(1), causing unbounded kernel log spam. If panic_on_warn is set, the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive.
A vulnerability was found in the Linux kernel's FUSE filesystem, allowing the FUSE daemon to perform pagecache write/read operations on directories. The FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE operations were accepted for directories, potentially triggering WARN_ON() in fuse_parse_cache() when bogus data is present in the cache. The fix rejects these operations for anything other than regular files with -EINVAL.
In the Linux kernel, a vulnerability was found in the FUSE filesystem where FUSE_NOTIFY_RETRIEVE requests could return data from non-uptodate folios containing uninitialized data. This affects systems without automatic zero-initialization of page allocations (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1).
This CVE has been rejected or withdrawn by its CVE Numbering Authority.
In the Linux kernel, a race condition in iomap error handling for buffered reads can cause a NULL pointer dereference. Decrementing read_bytes_pending before error reporting allows another thread to complete the folio and detach it, leading to a crash.
In the Linux kernel, a vulnerability in the IOMMU/DMA subsystem causes iommu_dma_iova_link_swiotlb() to attempt mapping a zero-length region, leading to iommu_map() failure and mapping corruption. This is frequently triggered by Thunderbolt NVMe drives forcing SWIOTLB for unaligned memory.
A vulnerability was found in the Linux kernel's rtmutex locking mechanism, where remove_waiter() can be called for a non-enqueued waiter, leading to a NULL pointer dereference. The issue occurs during FUTEX_CMP_REQUEUE_PI operations when the waiter is not properly registered in the wait queue.
In the Linux kernel, a vulnerability in memcg's refill_stock uses get_random_u32_below() which is unsafe in NMI context, potentially corrupting the ChaCha batch state. The fix replaces random selection with a per-CPU round-robin counter.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. When the user closes the file descriptor, the fastrpc_user structure is freed, but a workqueue may still access the freed memory, leading to a security issue.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. The fastrpc_map_lookup function returns a raw pointer after releasing the lock, and the caller fastrpc_map_create attempts to increment the reference count on this unprotected pointer. A concurrent MEM_UNMAP operation can free the map between the lock release and the increment, leading to use-after-free.
In the Linux kernel, the misc: fastrpc driver has a vulnerability due to misuse of find_vma(). When a user pointer falls in a gap before the returned VMA, the DMA address offset calculation underflows, corrupting the DMA address sent to the DSP.
A NULL pointer dereference was found in the Linux kernel's fastrpc driver during an rpmsg callback. The issue occurs when the DSP sends a message before fastrpc_channel_ctx initialization completes, causing a system crash.
In the Linux kernel, a vulnerability in the Phonet subsystem was found where phonet_device_destroy() removes a phonet_device from the per-net list using list_del_rcu() but frees it immediately, while RCU readers may still hold a pointer, leading to a slab-use-after-free.
A use-after-free vulnerability was found in the Linux kernel's NVMEM subsystem. Error handling paths incorrectly use the nvmem structure after freeing its memory, potentially leading to security breaches.
A vulnerability was found in the Linux kernel's set_pmd_migration_entry() function in mm/huge_memory.c. The function incorrectly uses pmd_write(), pmd_soft_dirty(), and pmd_uffd_wp() flags for device-private PMD entries, leading to incorrect marking of migration entries as writable. The issue was observed in the hmm.hmm_device_private.anon_write_child test, causing rmap state corruption and assertion failures.
A vulnerability in the Linux kernel's hugetlb reservation management was found. During hugetlb folio copy operations (e.g., UFFDIO_COPY or fork), error handling fails to restore the VMA reservation, causing a leak that can lead to SIGBUS on previously reserved addresses.
In the Linux kernel, a vulnerability in the list_lru mechanism during memcg reparenting was found. The xarray entry for a dying memcg is cleared before draining its per-node lists, allowing concurrent list_lru_del() operations to modify the same list nodes under different locks, leading to data structure corruption.
In the Linux kernel MMC driver for old Rockchip controllers (rk2928, rk3066, rk3188), missing private data structure caused NULL-pointer dereference after adding memory clock auto-gating support. This affects Linux kernel.

