CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel, a stack info leak was found in the tap driver via the SIOCGIFHWADDR ioctl. The tap_ioctl() function copies 16 bytes of an uninitialized sockaddr_storage structure to userspace, while netif_get_mac_address() only writes 6 bytes of the MAC address, leaving 8 bytes uninitialized. These 8 bytes may leak sensitive kernel data, including pointers, defeating KASLR.
In the Linux kernel, the jitterentropy crypto mechanism replaced a long-held spinlock with a mutex. Previously, the spinlock was held during expensive entropy generation and SHA3 conditioning, causing CPU stalls for parallel readers.
In the Linux kernel's xfrm/espintcp module, a vulnerability was found where the partial send state (ctx->partial) is reused before completion. The espintcp_sendmsg() function may overwrite an active send state, leading to a stale offset in a new message and a potential out-of-bounds memory read.
In the Linux kernel's batman-adv module, a buffer overflow vulnerability was found in TVLV packet processing. The function calculating the TVLV container list size used u16 type, causing integer wrap when the total exceeded 65535 bytes, leading to undersized buffer allocation and out-of-bounds write.
In the Linux kernel, a vulnerability was found in the io_uring/poll mechanism where a signed comparison in io_poll_get_ownership() prevented the slowpath from being taken when the cancel flag (IO_POLL_CANCEL_FLAG) was set. This caused cancel operations to be mishandled.
In the Linux kernel xfrm/ipcomp module, a vulnerability was found where destination pages are not freed on asynchronous compression (acomp) errors. This causes a memory leak because the destination SG list is not cleaned up on failure.
In the Linux kernel, the batman-adv tp_meter module has a vulnerability where uninitialized sender-specific variables are used in batadv_tp_recv_ack() and batadv_tp_stop() when called on a receiver role. A malicious ACK packet can trigger undefined behavior.
A vulnerability was found in the Linux kernel's IPC Shared Memory (shm) subsystem. The orphan cleanup function (shm_destroy_orphaned) does not properly synchronize reading the shm_nattch counter with update operations, potentially leading to premature removal of a shared memory segment.
In the Linux kernel, a vulnerability in SCTP stream handling causes incomplete rollback when ADD_OUT_STREAMS is denied. Leftover metadata from removed streams can trigger a null-pointer dereference in the scheduler when the stream is re-added.
A vulnerability was found in the Linux kernel's AF_UNIX socket implementation. The SIOCATMARK ioctl, which reports the urgent data mark position (MSG_OOB), was accessible for all socket types, even though MSG_OOB is only supported for SOCK_STREAM. For SOCK_DGRAM and SOCK_SEQPACKET sockets, which reject MSG_OOB, the call now returns -EOPNOTSUPP.
In the Linux kernel, a vulnerability was found in the ebtables module where the compat_mtw_from_user() function lacks proper validation of user-supplied match_size/target_size. This can cause an out-of-bounds read when converting ebtables extensions from 32-bit user structures to kernel native structures.
In the Linux kernel's batman-adv module, a vulnerability exists where the currently selected gateway pointer is not cleared during mesh teardown, leaving stale state that can break subsequent mesh recreation.
In the Linux kernel VRF subsystem, a potential NULL pointer dereference (NPD) was found when removing a port from a VRF. RCU readers may assume a net device is a VRF port and call l3mdev operations on a new master device (e.g., a bridge) that lacks them, leading to NULL dereference.
A use-after-free vulnerability was found in the Linux kernel's SCTP implementation. When handling a Stale Cookie ERROR, the outqueue is not purged, leaving stale scheduler pointers that lead to crashes. This can be triggered remotely.
In the Linux kernel, the batman-adv module (Distributed ARP Table) fails to check the return value of pskb_copy_for_clone(). A failed memory allocation leads to a NULL pointer dereference in batadv_send_skb_prepare_unicast_4addr(), causing a system crash.
In the Linux kernel netfilter/ipset subsystem, a vulnerability was found in IPv4 range iteration for hash:ip,mark, hash:ip,port, hash:ip,port,ip, and hash:ip,port,net sets. The 32-bit iterator may advance past the end of the requested range after processing the last address, causing a later retry to continue from an unintended position.
A vulnerability was found in the Linux kernel's netfilter xt_policy module, affecting strict mode inbound policy matching. The match_policy_in() function processes sec_path entries in reverse order, causing inconsistent matching of multi-element inbound rules.
In the Linux kernel, the batman-adv module's tp_meter counter underflows during shutdown due to multiple callers of batadv_tp_sender_shutdown(). This causes a use-after-free when the interface is removed while a zombie sender thread loops indefinitely.
A vulnerability was found in the Linux kernel's Bluetooth stack due to unsynchronized access to the accept_q queue. The bt_sock_poll() function walks the queue without locking, while child socket teardown can concurrently unlink and release the last reference, causing a race condition. This issue has existed since the initial Bluetooth implementation.
In the Linux kernel, a vulnerability in the SCTP sock_diag mechanism allows the dump_one function to process stale associations. After blocking on lock_sock() and sctp_association_free() completes, the association is marked dead and its bind address list is freed, leading to an out-of-bounds memory read.

