CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A shared memory (shm) leak was found in the register_shm_helper() function of the TEE driver in the Linux kernel. When iov_iter_npages() returns 0, the function jumps to err_ctx_put, skipping the deallocation of previously allocated shm. The issue can be triggered by TEE_IOC_SHM_REGISTER with zero data length.
In the Linux kernel's Bluetooth L2CAP subsystem, a vulnerability allows an unauthenticated BR/EDR peer within radio range to send a signaling packet larger than the allowed MTU (MTUsig). Such a packet can contain multiple ECHO_REQ commands, forcing the target device to send many ECHO_RSP responses, potentially leading to overload.
A deadlock vulnerability (AA deadlock) was found in the Linux kernel's memory failure handling. Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can cause a recursive spinlock self-deadlock on hugetlb_lock when racing with a concurrent unmap.
In the Linux kernel, the accel/ivpu driver now validates firmware runtime memory bounds. Missing bounds check could cause memory allocation and image transfer errors.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the stratix10-rsu driver. The issue occurs when rsu_send_msg() returns -ETIMEDOUT and the code continues processing on a channel whose scl structure has already been cleared, leading to a NULL dereference in the svc kthread.
An ABBA deadlock was found in the Linux kernel's iptfs_destroy_state() function in the IPTFS (IPsec) implementation. The issue occurs when the function calls hrtimer_cancel() while holding a spinlock also required by the timer callback, leading to a deadlock on SMP systems.
A heap overflow vulnerability was found in the io_ti USB serial driver in the Linux kernel. The get_manuf_info() function reads a Size field from the USB device that can be set up to 16377 bytes, while the destination buffer is only 10 bytes, causing a heap overflow of up to 16367 bytes. The fix adds validation of the descriptor length before reading.
In the Linux kernel, a dma_fence refcount leak was found in the virtio-gpu driver. The function virtio_gpu_dma_fence_wait() fails to release the chain reference on early return from the loop on error, causing a memory leak.
In the Linux kernel, a leak of the sk_ack_backlog counter was found in the vsock/vmci driver during a failed handshake. This causes the counter to increase permanently, eventually blocking all new connections when the limit is reached.
In the Linux kernel, the bnxt_en driver has a NULL pointer dereference vulnerability. It occurs when PCIe error recovery runs on a closed network interface, and bnxt_io_error_detected() accesses the uninitialized bp->bnapi structure.
In the Linux kernel's accel/ethosu driver, the NPU_OP_RESIZE command, which is U85-only, is not yet implemented. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, it triggers a WARN_ON(1), causing unbounded kernel log spam. If panic_on_warn is set, the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive.
A vulnerability was found in the Linux kernel's FUSE filesystem, allowing the FUSE daemon to perform pagecache write/read operations on directories. The FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE operations were accepted for directories, potentially triggering WARN_ON() in fuse_parse_cache() when bogus data is present in the cache. The fix rejects these operations for anything other than regular files with -EINVAL.
In the Linux kernel, a vulnerability was found in the FUSE filesystem where FUSE_NOTIFY_RETRIEVE requests could return data from non-uptodate folios containing uninitialized data. This affects systems without automatic zero-initialization of page allocations (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1).
A vulnerability was found in the Linux kernel futex/requeue mechanism. When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash.
In the Linux kernel, a vulnerability in the IOMMU DMA subsystem causes iommu_dma_iova_link_swiotlb() to attempt mapping a zero-length region, leading to iommu_map() failure and mapping corruption with a WARN_ON. This is frequently triggered by Thunderbolt NVMe drives forcing SWIOTLB for unaligned memory.
A vulnerability was found in the Linux kernel's rtmutex locking mechanism, where remove_waiter() can be called for a non-enqueued waiter, leading to a NULL pointer dereference. The issue occurs during FUTEX_CMP_REQUEUE_PI operations when the waiter is not properly registered in the wait queue.
In the Linux kernel, the fastrpc driver has a vulnerability due to misuse of find_vma(). When a user pointer falls in a gap before the returned VMA, the DMA address offset calculation underflows, corrupting the DMA address sent to the DSP.
A NULL pointer dereference vulnerability was found in the Linux kernel's fastrpc driver. The issue occurs when the DSP sends a glink message before fastrpc_rpmsg_probe() completes initialization, leading to a system crash.
A vulnerability was found in the Linux kernel's set_pmd_migration_entry() function in mm/huge_memory.c. The function incorrectly uses pmd_write(), pmd_soft_dirty(), and pmd_uffd_wp() flags for device-private PMD entries, leading to incorrect marking of migration entries as writable. This can corrupt reverse mapping (rmap) state and cause memory inconsistency.
In the Linux kernel, a vulnerability in the hugetlb subsystem causes a VMA reservation leak in two copy paths (UFFDIO_COPY and fork-time CoW) when copy_user_large_folio() fails. The missing restore_reserve_on_error() call leaves the reservation consumed, leading to potential SIGBUS on subsequent accesses to the reserved address.

