CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
In the Linux kernel, a vulnerability in the mt76 driver for mt7925 chipsets allows a NULL pointer dereference in mt7925_tx_check_aggr(). Missing NULL check for 'sta' before dereferencing may cause a system crash.
In the mt76 Wi-Fi driver for MT7921/MT7922 chipsets, there was no upper limit on the station AID. An AID exceeding 20 caused a firmware crash. The issue occurred on AP interfaces, especially with a modified hostapd.
A NULL pointer dereference vulnerability was found in the Linux kernel in the ras_core_ras_interrupt_detected() function of the AMD DRM driver. The issue occurs when ras_core is NULL and the code accesses the dev field in the error path.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the AMD GPU driver (drm/amd/ras) in the ras_core_get_utc_second_timestamp() function. The function retrieves UTC timestamps for RAS events but may access ras_core->dev when ras_core is NULL, causing a kernel crash.
A vulnerability was found in the Linux kernel's padata mechanism, where the CPU offline callback was placed in a section that does not allow errors. This caused warnings and potential issues during CPU hotplug operations.
In the Linux kernel drm/amd/display driver, a NULL pointer dereference vulnerability was found in dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace(). Incorrect condition ordering can cause DC_LOG_ERROR() to be called with a NULL dc_dmub_srv pointer, leading to a system crash.
In the Linux kernel, a vulnerability was found in the IOMMU subsystem for RISC-V architecture on the invalidation path. When gather->end reaches ULONG_MAX, an overflow causes an infinite loop. Additionally, incorrect length calculation (moving +1 to the other side of the comparison) may lead to improper behavior.
In the Linux kernel, a vulnerability was found in the FUSE filesystem where the fuse_dentry_revalidate() function may be called with a dentry having uninitialized ->d_time field. The issue was discovered by KMSAN and can lead to reading uninitialized memory.
In the Linux kernel, a vulnerability in the SoC Tegra CBB subsystem uses an incorrect base address when looking up target timeout for errors occurring on a different fabric, leading to a kernel page fault and potential system crash.
In the Linux kernel, the max77705 driver leaks memory by not destroying the workqueue and has a flawed resource release order. Using devm for interrupt registration causes the workqueue to be destroyed before interrupts are freed, leading to a potential use-after-free in a short time window.
In the Linux kernel, the pinconf_generic_parse_dt_pinmux() function assumes the 'pinmux' property is not empty when present, which can cause a crash when accessing invalid memory.
In the Linux kernel's hvc_iucv driver, an off-by-one vulnerability was found in the number of supported devices. The maximum number of devices (MAX_HVC_IUCV_LINES) is 8, but the check condition (a) allows access to index 8, causing an out-of-bounds read/write on the hvc_iucv_table[] array. This can lead to a kernel oops or potential security compromise.
A bug in the Linux kernel's USB Type-C PS883X driver causes an Oops when unbinding the device. The issue is due to missing i2c_set_clientdata() in the probe function, leading to a NULL pointer dereference in ps883x_retimer_remove().
A vulnerability in the Linux kernel's SCSI sg driver allows a soft lockup by setting a negative value for the def_reserved_size parameter via sysfs. The issue stems from missing validation of this parameter when directly modified through /sys/module/sg/parameters/def_reserved_size.
In the Linux kernel, the EIP93 crypto driver has a vulnerability in eip93_hmac_setkey() where it incorrectly uses the CRYPTO_ALG_ASYNC mask when allocating a temporary ahash transform. This excludes the only available async hash algorithms, causing HMAC key initialization to fail. When triggered via the AEAD setkey path, it leads to a NULL pointer dereference and kernel panic.
A vulnerability in the Linux kernel's reset driver for Amlogic T7 SoCs has been fixed. Missing reset operations cause a null pointer dereference, potentially leading to a kernel crash.
OpenProject before versions 17.3.3 and 17.4.1 has a vulnerability due to unrestricted data-* attributes in <macro> elements in the HTML sanitizer. An attacker can inject data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(), executing arbitrary Turbo Stream actions including redirect_to to an attacker-controlled server.
In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public queries from another project where they lack such permissions.
A vulnerability in OpenProject prior to version 17.4.0 allows disclosure of private work package data from a linked work package belonging to an inaccessible project via a GET request to the API endpoint.
A vulnerability in OpenProject before version 17.4.0 allows an authenticated user to retrieve relations and the subject (title) of work packages they have no permission to view via the GET /api/v3/relations endpoint. The issue stems from a flawed performance optimization in RelationQuery that bypasses the Relation.visible scope.

