Linux Kernel vulnerabilities

CVE-2026-46242 [MEDIUM] CWE-825 kernel: eventpoll: fix ep_remove struct eventpoll / struct file UAF kernel: eventpoll: fix ep_remove struct eventpoll / struct file UAF In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurre

CVE-2026-46124 [HIGH] CWE-1285 kernel: isofs: validate block number from NFS file handle in isofs_export_iget kernel: isofs: validate block number from NFS file handle in isofs_export_iget A flaw was found in the Linux kernel's `isofs` filesystem. An authenticated NFS (Network File System) peer can exploit this vulnerability by providing a specially crafted file handle. This allows the server to read arbitrary in-range blocks on the backing device, leading to information disclosure where unrela

CVE-2026-46155 [HIGH] CWE-130 kernel: smb/client: fix out-of-bounds read in smb2_compound_op() kernel: smb/client: fix out-of-bounds read in smb2_compound_op() A flaw was found in the Linux kernel's Server Message Block (SMB) client. A remote attacker, acting as a malicious SMB server, could send a specially crafted, truncated response with an oversized buffer length. This could lead to an out-of-bounds read in the smb2_compound_op() function, allowing the attacker to leak sensitive kernel heap

CVE-2026-46152 [HIGH] CWE-1058 kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result A flaw was found in the Linux kernel's Wi-Fi (mac80211) subsystem. The `ieee80211_invoke_fast_rx()` function uses a static variable for `rx_result`, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly reported. Such issues can r

CVE-2026-46215 [HIGH] CWE-825 kernel: drm: Set old handle to NULL before prime swap in change_handle kernel: drm: Set old handle to NULL before prime swap in change_handle A flaw was found in the Linux kernel. A race condition in the Direct Rendering Manager (DRM) subsystem's `change_handle` function could allow a local attacker to trigger a use-after-free vulnerability. This occurs when a concurrent `gem_close` operation removes one handle while another remains dangling. Successful exploitatio

CVE-2026-46227 [HIGH] CWE-367 kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL A flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the `SCTP_SENDALL` path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via

CVE-2026-46173 [HIGH] CWE-1341 kernel: exit: prevent preemption of oopsing TASK_DEAD task kernel: exit: prevent preemption of oopsing TASK_DEAD task A flaw was found in the Linux kernel. During the exit process of a task that has encountered an error, the system can incorrectly allow the task to be interrupted. This can lead to improper management of the task's memory, potentially causing memory corruption. Such an issue could allow a local attacker to cause a system crash (Denial of Service) o

CVE-2026-46181 [HIGH] CWE-366 kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() A flaw was found in the Linux kernel's RDMA/mlx4 component. This vulnerability arises from the incorrect use of Read-Copy Update (RCU) in the `mlx4_srq_event()` function. An attacker could potentially trigger an event before the `srq` object is fully initialized, leading to a system crash. This could result in a Denial of Service (DoS) for the affecte

CVE-2026-46145 [HIGH] CWE-787 kernel: RDMA/mana: Validate rx_hash_key_len kernel: RDMA/mana: Validate rx_hash_key_len A flaw was found in the Linux kernel's RDMA/mana component. A local user could exploit this vulnerability by providing an invalid `rx_hash_key_len` value through a user-space API (uAPI) structure. This invalid value is then used in a `memcpy` operation without proper bounds checking, allowing the user to write beyond intended memory boundaries. This can lead to kernel memory cor

CVE-2026-46135 [HIGH] CWE-1341 kernel: nvmet-tcp: fix race between ICReq handling and queue teardown kernel: nvmet-tcp: fix race between ICReq handling and queue teardown A flaw was found in the Linux kernel's NVMe over TCP (nvmet-tcp) implementation. A race condition exists between the handling of an Initialization Connection Request (ICReq) and the teardown of a queue. A remote attacker, by sending an ICReq and immediately closing the connection, could trigger a double free vulnerability. Thi

CVE-2026-46195 [HIGH] CWE-787 kernel: smb: client: validate dacloffset before building DACL pointers kernel: smb: client: validate dacloffset before building DACL pointers A flaw was found in the Linux kernel's Server Message Block (SMB) client. A malicious server can exploit this vulnerability on 32-bit systems by providing a crafted dacloffset value. This can cause a pointer wrap, leading to the dereferencing of invalid Discretionary Access Control List (DACL) fields during chmod or chown ope

CVE-2026-46120 [HIGH] CWE-763 kernel: ip6_gre: Use cached t->net in ip6erspan_changelink() kernel: ip6_gre: Use cached t->net in ip6erspan_changelink() A flaw was found in the Linux kernel's ip6_gre module. An unprivileged user could exploit this vulnerability by migrating a network device, causing the ip6erspan_changelink() function to incorrectly handle network namespace references. This error leads to a use-after-free condition when the original network namespace is destroyed, potentially re

CVE-2026-46176 [HIGH] CWE-825 kernel: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() kernel: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() A flaw was found in the Linux kernel's RDMA/mlx5 component. An error path fall-through in the `mlx5_ib_dev_res_srq_init()` function, specifically when `ib_create_srq()` fails, can lead to the use of freed memory and error pointers. This memory corruption vulnerability could result in system instability, denial of

CVE-2026-46209 [HIGH] CWE-190 kernel: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() kernel: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() A flaw was found in the Linux kernel's Direct Rendering Manager (DRM) Graphics Execution Manager (GEM) component. This vulnerability arises from an inconsistent calculation of plane dimensions, which can lead to incorrect memory allocation checks. A local attacker could exploit th

CVE-2026-46117 [HIGH] CWE-1288 kernel: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() kernel: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() A flaw was found in the Linux kernel's RDMA/mana component. A local user could trigger a kernel corruption by providing specific configurations through the user Application Programming Interface (uAPI) that cause an internal error. This issue arises when Work Queues (WQs) are specified to share the same Com

CVE-2026-46150 [HIGH] CWE-280 kernel: fanotify: fix false positive on permission events kernel: fanotify: fix false positive on permission events A flaw was found in the Linux kernel's fanotify subsystem. This vulnerability allows for a bypass of permission checks because the `fsnotify_get_mark_safe()` function may incorrectly return false for marks on unrelated groups. This could enable an attacker to perform unauthorized actions by circumventing intended security restrictions. Package: kerne

CVE-2026-46166 [HIGH] CWE-825 kernel: wifi: mac80211: use safe list iteration in radar detect work kernel: wifi: mac80211: use safe list iteration in radar detect work A flaw was found in the Linux kernel's mac80211 wireless subsystem. This vulnerability arises from unsafe list iteration during radar detection work, where a channel context can be freed while still being processed. This can lead to a use-after-free memory error. A successful exploit could result in system instability or a denial

CVE-2026-46189 [HIGH] CWE-1341 kernel: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path kernel: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path A flaw was found in the Linux kernel, specifically within the RDMA (Remote Direct Memory Access) vmw_pvrdma module. This vulnerability is a double free, which means the system attempts to release the same memory resource twice. This can occur in an error handling path within the `pvrdma_alloc_ucontext()` func

CVE-2026-46125 [HIGH] CWE-825 kernel: wifi: mac80211: remove station if connection prep fails kernel: wifi: mac80211: remove station if connection prep fails A flaw was found in the Linux kernel's mac80211 Wi-Fi subsystem. When Multi-Link Operation (MLO) connection preparation fails, the system may not correctly remove the associated station. This can lead to a use-after-free or double-free vulnerability in the debugfs component, potentially causing system instability or unexpected behavior. P

CVE-2026-46116 [HIGH] CWE-763 kernel: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete kernel: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete A flaw was found in the Linux kernel's `xfrm` (IPSec framework) subsystem. This vulnerability, a use-after-free, occurs when the system incorrectly manages memory related to security policies, specifically during the deletion of `xfrm_state` lists. An attacker with local access could exploit this flaw by triggering specif