CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Linux kernel, the af_alg crypto module lacks a cap on the associated data (AD) length for AEAD algorithms, potentially causing arithmetic overflow when checking the TX buffer size.
In the Linux kernel, a use-after-free vulnerability was found in the ena network driver's get_timestamp function. The issue is due to missing synchronization when checking the active flag and reading the DMA memory pointer, which can lead to NULL pointer dereference.
A vulnerability in the Linux kernel's KVM was found where kvm_reset_dirty_gfn() fails to properly validate u64 offset wrapping. An attacker can bypass the memory range check, leading to an out-of-bounds read and potential memory corruption.
In the Linux kernel, a vulnerability was found in the SMB client subsystem that can cause an infinite loop and out-of-bounds read in the symlink_data() function. The issue occurs on 32-bit architectures when the ErrorDataLength field is set to specific large values (0xfffffff8 or 0xfffffff0), leading to incorrect pointer arithmetic.
In the Linux kernel, a vulnerability was found in the Ceph filesystem where folios not suitable for writeback were not released properly. The removal function lacked a `folio_put` call, causing a memory leak.
In the Linux kernel's sev-guest driver, a vulnerability was found where a host-controlled value is used to compute the page order when freeing a buffer. The host may return an expected buffer size, which is then used to calculate the page order, potentially leading to corruption in the page allocator.
In the Linux kernel's libceph library, a null pointer dereference vulnerability was found during decoding of choose_args in the CRUSH map. The issue occurs when a crafted CEPH_MSG_OSD_MAP message contains a corrupted CRUSH map with a bucket index pointing to a NULL entry, potentially causing a system crash.
In the Linux kernel's libceph, a potential out-of-bounds access was found in __ceph_x_decrypt(). The function fails to verify that the buffer is large enough to hold the ceph_x_encrypt_header structure, leading to memory read beyond allocated space.
In the Linux kernel's libceph, a vulnerability was found due to missing error handling in the rbtree insertion within decode_choose_args(). A malicious or corrupted CEPH_MSG_OSD_MAP message can contain two choose_args entries with the same index, triggering an assertion and causing a kernel BUG.
In the Linux kernel, a bug in the iommu/vt-d driver causes a general protection fault (oops) when killing a QEMU process. The issue is due to out-of-scope memory access to the dmar_domain structure for a global static blocked domain, which is a dummy domain. The fix returns early in domain_remove_dev_pasid() for this domain.
A vulnerability in the Linux kernel IOMMU subsystem causes a WARN_ON in __iommu_group_set_domain_nofail() due to reset. Incorrect blocking of concurrent domain attachments during group recovery can lead to a use-after-free (UAF) in detach/teardown paths.
In the Linux kernel DRM driver for Intel Xe GPUs, a vulnerability was found in DMA-BUF buffer handling. A race condition during buffer object (BO) initialization can expose an empty or freed object (Use-After-Free) on the attachment list. Reports show NULL pointer dereferences in evict_flags when importing buffers from AMDGPU.
In the Linux kernel, a use-after-free (UAF) vulnerability was found in the DRM/Xe driver's dma-buf handling. The retry loop frees the buffer object (bo) on error, causing access to freed memory. The fix moves allocation and initialization before the attach operation, making retry safe.
In the Linux kernel's qrtr module, a vulnerability was found where the socket reference count is decremented before the port is removed from the XArray and before the RCU grace period ends. This creates a race condition where a concurrent RCU reader can obtain a pointer to a socket with a zero reference count, leading to refcount saturation and potential Use-After-Free (UAF).
A deadlock vulnerability was found in the Linux kernel's send_sigio() and send_sigurg() functions when signaling process groups. The issue occurs when a process holds tasklist_lock in process context and a softirq attempts to acquire the same lock, causing a deadlock due to rwlock writer fairness.
A commit enabling threaded NAPI by default in the WireGuard driver has been reverted in the Linux kernel. The change caused rare but complete decryption stalls for specific peers in Kubernetes environments with Cilium, which never recover automatically.
Missing authentication for a critical function in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register an account. The POST /api/auth/register/ endpoint applies AllowAny permissions without email verification, CAPTCHA, or administrator approval.
motionEye (mEye) is an online interface for a software called 'motion', which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.
Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed attacker app can read stale register values left by a separate sandboxed victim app.
A critical vulnerability in the Admin GUI of Payara Server allows an attacker to leak the administrator's REST session token to an attacker-controlled host, potentially leading to a full unauthenticated takeover of the Payara admin domain.

