CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-53180
High

A livelock vulnerability was found in the Linux kernel's timer migration mechanism in the tmigr_handle_remote_up() function. The issue stems from an incorrect assumption that the local softirq already handled the CPU's timers, causing timer_expire_remote() to be skipped and leading to an infinite loop.

CVE-2026-53179
High

In the Linux kernel, a buffer over-read vulnerability was found in the staging driver rtl8723bs in the rtw_update_protection function. The function is called with a pointer offset into the ies buffer but the full ie_length is passed, potentially causing a read beyond the allocated buffer.

CVE-2026-53178
High

In the Linux kernel, the rtl8723bs staging driver for Realtek WiFi chipsets lacks bounds checks before subtracting fixed IE offsets from ie_length, which can cause unsigned integer underflow.

CVE-2026-53177
Medium

In the Linux kernel, the bnxt_en driver has a NULL pointer dereference vulnerability. It occurs when PCIe error recovery runs on a closed network interface, and bnxt_io_error_detected() accesses the uninitialized bp->bnapi structure.

CVE-2026-53176
CriticalEPSS 50%

In the Linux kernel's IB/isert driver, a missing lower bound check on iSER login PDU length allows a remote initiator to send a packet shorter than 76 bytes, causing an integer underflow and an out-of-bounds write. This vulnerability can crash the target node without requiring authentication.

CVE-2026-53175
Critical

A use-after-free vulnerability was found in the Linux kernel's IP fragment reassembly mechanism (IPv4/IPv6). During network namespace teardown, fqdir_pre_exit() flushes fragment queues but does not reset pointers to freed skbs, allowing a concurrent thread to dereference freed memory.

CVE-2026-53174
High

In the Linux kernel, a vulnerability was found in the overlayfs mechanism where ovl_iterate_merged() incorrectly stores PTR_ERR(cache) in the err variable before checking if cache is valid. On successful ovl_cache_get(), err holds a truncated pointer that can be returned as a bogus non-zero error, leading to incorrect directory read operations.

CVE-2026-53173
High

In the Linux kernel, the accel/ethosu driver has a heap out-of-bounds write vulnerability in ethosu_gem_cmdstream_copy_and_validate(). The command parsing loop fails to re-check the buffer bound after incrementing the index for 64-bit commands, allowing userspace to write past the allocated DMA buffer.

CVE-2026-53172
High

In the Linux kernel driver for Ethos-U accelerator (accel/ethosu), a vulnerability was found in the command stream parser. The NPU_SET_IFM_REGION function uses a 0x7f mask instead of 0x7, allowing out-of-bounds indexing of the region_size[] array (size 8). A userspace attacker can craft a call to write past the allocated buffer, corrupting adjacent kernel heap data.

CVE-2026-53171
High

In the Linux kernel, the accel/ethosu driver contains arithmetic issues in the dma_length() function. Incorrect arithmetic operations can cause integer overflows, bypassing GEM buffer access validation.

CVE-2026-53170
High

In the Linux kernel, the accel/ethosu driver has a vulnerability due to uninitialized DMA length. If userspace omits setting the DMA length before starting a transfer, the driver uses an uninitialized value (U64_MAX), leading to bypass of bounds checks and execution of DMA with stale physical addresses.

CVE-2026-53169
Medium

In the Linux kernel's accel/ethosu driver, the NPU_OP_RESIZE command, which is U85-only, is not yet implemented. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, it triggers a WARN_ON(1), causing unbounded kernel log spam. If panic_on_warn is set, the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive.

CVE-2026-53168
Medium

A vulnerability was found in the Linux kernel's FUSE filesystem, allowing the FUSE daemon to perform pagecache write/read operations on directories. The FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE operations were accepted for directories, potentially triggering WARN_ON() in fuse_parse_cache() when bogus data is present in the cache. The fix rejects these operations for anything other than regular files with -EINVAL.

CVE-2026-53167
Medium

In the Linux kernel, a vulnerability was found in the FUSE filesystem where FUSE_NOTIFY_RETRIEVE requests could return data from non-uptodate folios containing uninitialized data. This affects systems without automatic zero-initialization of page allocations (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1).

CVE-2026-53166
Low risk· EPSS 3%

This CVE has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-53165
High

In the Linux kernel, a race condition in iomap error handling for buffered reads can cause a NULL pointer dereference. Decrementing read_bytes_pending before error reporting allows another thread to complete the folio and detach it, leading to a crash.

CVE-2026-53164
Medium

In the Linux kernel, a vulnerability in the IOMMU/DMA subsystem causes iommu_dma_iova_link_swiotlb() to attempt mapping a zero-length region, leading to iommu_map() failure and mapping corruption. This is frequently triggered by Thunderbolt NVMe drives forcing SWIOTLB for unaligned memory.

CVE-2026-53163
Medium

A vulnerability was found in the Linux kernel's rtmutex locking mechanism, where remove_waiter() can be called for a non-enqueued waiter, leading to a NULL pointer dereference. The issue occurs during FUTEX_CMP_REQUEUE_PI operations when the waiter is not properly registered in the wait queue.

CVE-2026-53162
High

In the Linux kernel, a vulnerability in memcg's refill_stock uses get_random_u32_below() which is unsafe in NMI context, potentially corrupting the ChaCha batch state. The fix replaces random selection with a per-CPU round-robin counter.

CVE-2026-53161
High

A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. When the user closes the file descriptor, the fastrpc_user structure is freed, but a workqueue may still access the freed memory, leading to a security issue.

PreviousPage 211 of 4524Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS