CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-53264
High

A race condition in the Linux kernel's action lifecycle management (act_api) in the networking subsystem was discovered. Concurrent NEWTFILTER and DELFILTER operations can cause a use-after-free (UAF) due to improper dereference and deallocation ordering of actions.

CVE-2026-53262
High

A Use-After-Free (UAF) vulnerability was found in the Linux kernel's L2TP driver (pppol2tp) in the pppol2tp_ioctl() function. The function read the session pointer without locks or reference counting, allowing a race condition during copy_from_user().

CVE-2026-53259
High

In the Linux kernel, a vulnerability in IPv6 anycast implementation allows a use-after-free when a struct ifacaddr6 (aca) is freed while still linked in the global hash table. The race condition occurs because the insertion into idev->ac_list and the global hash are not atomic with respect to interface teardown.

CVE-2026-53256
High

A use-after-free vulnerability was found in the Linux kernel's Bluetooth RFCOMM subsystem in the rfcomm_connect_ind() function. The issue stems from missing reference counting on the listening socket during rfcomm_sk_list scanning, allowing a race condition with socket closure and potential exploitation.

CVE-2026-53254
High

In the Linux kernel, a vulnerability in Bluetooth RFCOMM MCC handlers fails to validate skb length before accessing data. A remote attacker can send truncated MCC frames, triggering out-of-bounds reads.

CVE-2026-53253
High

A vulnerability was found in the Linux kernel's Bluetooth BNEP subsystem due to missing frame length validation before parsing. A remote attacker can send a short BNEP SDU frame, causing an out-of-bounds memory read and potentially system instability.

CVE-2026-53250
High

A TOCTOU vulnerability was found in the Linux kernel's xsk_skb_metadata() function for AF_XDP sockets. The csum_start and csum_offset fields are read twice from shared UMEM memory, allowing a malicious userspace process to overwrite them between reads, bypassing bounds checks and causing out-of-bounds memory access during checksum computation in the transmit path.

CVE-2026-53248
High

A use-after-free vulnerability was found in the Linux kernel's airoha network driver. The airoha_metadata_dst_free() function called metadata_dst_free() which immediately freed the metadata_dst via kfree(), bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, requiring RCU protection and ensuring the dst remains valid until all RCU readers complete.

CVE-2026-53244
High

In the Linux kernel, a vulnerability in nfsd4_create_file() can cause a failure to unlock the parent directory when dentry_create() returns an error pointer. This occurs when an exported filesystem uses atomic_create() and that operation fails.

CVE-2026-53242
High

A vulnerability in the Linux kernel's ALSA PCM driver was found where snd_pcm_drain() can corrupt wait queues when operating on linked streams. The flaw stems from improper wait entry management, potentially leading to a NULL pointer dereference and kernel panic.

CVE-2026-53240
High

A use-after-free vulnerability was found in the Linux kernel's xfrm IPsec module in the __input_process_payload function. The issue occurs when first_skb is stored in xtfs->ra_newskb without a lock, allowing another thread to free it, leading to use of freed memory.

CVE-2026-53239
High

A use-after-free vulnerability was found in the Linux kernel's xfrm_policy_bysel_ctx() function for XFRM policies. The issue is a race condition where an inexact policy bin is freed during hash rebuild while another thread still uses it after releasing the lock.

CVE-2026-53235
High

A vulnerability was found in the Linux kernel's skb_gro_receive_list() function, which calls skb_pull() without first ensuring data is in the linear area via pskb_may_pull(). For packets arriving via napi_gro_frags(), this can trigger a BUG_ON assertion and system crash. The fix adds pskb_may_pull() and sets a flush flag on failure.

CVE-2026-53233
High

A double-free vulnerability was found in the Linux kernel in the netdev_nl_bind_rx_doit() function. The error path incorrectly calls nlmsg_free() after genlmsg_reply() already consumed the skb, causing a double-free.

CVE-2026-53232
High

In the Linux kernel, a vulnerability was found where sfp_bus_del_upstream() is not called in the error path during PHY driver initialization. This leaves a dangling 'upstream' pointer in the sfp-bus structure, which may be later used during SFP events.

CVE-2026-53230
High

In the Linux kernel, a slab-out-of-bounds vulnerability was found in the mlx5 driver's mlx5_query_nic_vport_mac_list function. The firmware command buffer is sized based on PF capabilities, but querying a VF with a larger configuration causes the response to overflow the buffer.

CVE-2026-53229
High

In the mlx5e driver for Mellanox network cards, a DMA memory and XDP frame leak was discovered. When sending an XDP_TX packet in XSK mode, if the hardware queue is full, the function does not free the allocated frame or unmap the DMA address, leading to resource leakage.

CVE-2026-53223
High

A vulnerability in the Linux kernel's timestamp cmsg handling for AF_PACKET sockets was found. The incorrect assumption that the PACKET_OUTGOING flag uniquely identifies error queue packets allows reading AF_PACKET control buffer state as sock_exterr_skb, potentially leading to memory disclosure or kernel panic.

CVE-2026-53217
High

In the Linux kernel, the mvpp2 driver had a DMA synchronization bug for received packets. The CPU sync function started at an incorrect offset, missing data at the packet tail and syncing unused headroom. On non-coherent DMA systems, this can cause the CPU to read stale cache contents.

CVE-2026-53212
High

A use-after-free vulnerability was found in the Linux kernel's nft_tunnel module. The nft_tunnel_obj_destroy() function calls metadata_dst_free() which directly frees the metadata_dst memory, ignoring the dst_entry refcount. Packets that hold a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g., in a netem qdisc) are left with a dangling pointer, leading to use-after-free when dequeued.

PreviousPage 58 of 3343Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS