CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In the Linux kernel, the xen-netback driver is vulnerable to a malicious or buggy Xen guest setting the 'multi-queue-num-queues' xenbus key to 0. The lack of lower bound validation causes a memory allocation with size 0, triggering a WARN_ON_ONCE and potentially leading to a denial of service (DoS) on systems with panic_on_warn enabled.
In the Linux kernel, accounting for out-of-order (OoO) packets at the MPTCP level in mptcp_rcvbuf_grow() has been removed. MPTCP-level OoO is physiological when multiple subflows are active and does not cause retransmissions or drops. This accounting caused the receive buffer to drift towards tcp_rmem[2]. The fix also closes a subtle race condition with rcvspace init that could lead to a divide-by-zero Oops.
In the Linux kernel md/raid1 driver, a memory leak was found in the raid1_run() function. When setup_conf() registers a thread via md_register_thread() and then raid1_set_limits() fails, the previously registered thread is not unregistered, causing a leak of the md_thread structure and thread resources.
A memory leak was found in the Linux kernel's unix_stream_connect() function for AF_UNIX sockets. When prepare_peercred() fails, unix_release_sock() is not called for the new socket (newsk), causing a memory leak.
In the Linux kernel, a vulnerability was found in the BPF helper function `bpf_xdp_store_bytes`. The expected argument type was incorrectly defined as `ARG_PTR_TO_UNINIT_MEM` with the `MEM_WRITE` flag, causing the BPF verifier to reject valid calls with read-only maps (BPF_F_RDONLY_PROG) and potentially allowing reads from uninitialized memory.
In the Linux kernel, a vulnerability was found in the AppArmor module where the per-CPU counter in aa_get_buffer can underflow. When the hold counter reaches zero while count is non-zero, it wraps to UINT_MAX, preventing buffer return to the global list and causing starvation on other CPUs and excessive memory allocations.
In the Linux kernel, a resource leak was found in the SCA3000 IIO driver. The sca3000_probe() function does not release the IRQ (spi->irq) registered via request_threaded_irq() when iio_device_register() fails.
In the Linux kernel, a memory leak was detected in the svs_enable_debug_write() function in the MediaTek SVS driver. The buffer allocated by memdup_user_nul() is not freed if kstrtoint() fails.
In the Linux kernel, a vulnerability was found in the PCI/P2PDMA mechanism. When vm_insert_page() fails in p2pmem_alloc_mmap(), the per-CPU pgmap reference is not released, causing memunmap_pages() to hang forever when trying to remove the PCI device.
In the Linux kernel HID intel-ish-hid driver, a NULL pointer dereference vulnerability was found in the ishtp_bus_remove_all_clients function. The issue occurs during a warm reset when the cl->device pointer may be NULL, leading to a kernel panic.
In the Linux kernel, a vulnerability was found in the arch_set_shadow_stack_status() function for ARM64 architecture. The alloc_gcs() function returns an error-encoded pointer on failure, not NULL. The previous NULL check failed to detect errors, which could lead to using an invalid GCS address.
In the Linux kernel, a vulnerability was found in the mfd: arizona driver where the wm5102_clear_write_sequencer() function may return an error, bypassing the cleanup sequence and causing a regulator resource leak. Regulators remain enabled, leading to resource exhaustion.
In the Linux kernel PHY driver for i.MX8QM HSIO, a NULL pointer dereference vulnerability was found. During probe, the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the device tree. The function imx_hsio_configure_clk_pad() uses this pointer unconditionally, which could lead to a system crash.
In the Linux kernel, a vulnerability was found in the netfilter packet filtering mechanism, specifically in red-black tree based sets (nft_set_rbtree). The issue is the lack of checking for partially overlapping intervals in anonymous sets, which can lead to incorrect filtering rule behavior.
A memory leak was detected in the Linux kernel in the pqi_report_phys_luns() function of the smartpqi driver for SCSI controllers. When encountering an unsupported data format or failing to allocate the rpl_16byte_wwid_list buffer, the function returned an error without freeing the previously allocated rpl_list buffer, leading to memory leaks.
In the Linux kernel, a vulnerability in the st33zp24 TPM driver was found where the locality is not released after a get_burstcount() error. When get_burstcount() returns -EBUSY due to timeout, st33zp24_send() exits without proper cleanup.
In the Linux kernel, memory leaks were found in XDR decoding functions in the auth_gss module of the SUNRPC protocol. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer() but fail to free it when a subsequent decode operation fails, leading to memory leaks. The leak in gssx_dec_ctx() is particularly critical because the caller initializes buffer length fields to non-zero values, forcing memory allocation.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the wm97xx power supply driver. The issue occurs when an interrupt (IRQ) is registered before the power_supply structure is initialized, potentially leading to the use of an uninitialized pointer in the power_supply_changed() function.
In the Linux kernel, a reference leak was detected in the pcs_add_gpio_func() function in the pinctrl-single driver. The of_parse_phandle_with_args() function increments the reference count for the gpiospec.np node, but the loop iterating through all handles never releases these references, leading to a memory leak. The issue was detected by a static analysis tool and confirmed during code review.
In the Linux kernel, the MCTP I2C driver did not initialize the event handler read buffer, causing uninitialized stack data to be returned. For i2c-aspeed and i2c-npcm7xx drivers this led to leakage of uninitialized values.

