Linux Kernel vulnerabilities

CVE-2026-45862 [MEDIUM] CWE-821 kernel: iommu/vt-d: Flush cache for PASID table before using it kernel: iommu/vt-d: Flush cache for PASID table before using it A flaw was found in the Linux kernel's IOMMU (Input/Output Memory Management Unit) virtualized directed I/O (VT-d) component. When a freshly allocated PASID (Process Address Space ID) table is written to a directory entry, the CPU cache flush for this table occurs too late. This creates a time window where non-coherent IOMMU hardware mig

CVE-2026-46051 [MEDIUM] CWE-835 kernel: md/raid5: fix soft lockup in retry_aligned_read() kernel: md/raid5: fix soft lockup in retry_aligned_read() A flaw was found in the Linux kernel's md/raid5 component. When the retry_aligned_read() function encounters an overlapped stripe, an issue in how stripes are released and processed can lead to an infinite loop. This prevents the system from resolving the overlap, resulting in a soft lockup and a Denial of Service (DoS) for the affected system. Pac

CVE-2026-46095 [MEDIUM] CWE-821 kernel: md/md-llbitmap: raise barrier before state machine transition kernel: md/md-llbitmap: raise barrier before state machine transition A flaw was found in the Linux kernel's RAID (Redundant Array of Independent Disks) driver component. A race condition can occur when the system attempts to write or discard data, as a necessary synchronization barrier is not properly established before critical state changes. This oversight could lead to unpredictable system

CVE-2026-46024 [MEDIUM] CWE-1287 kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() A flaw was found in the Linux kernel's libceph component. A remote attacker could send a specially crafted authentication reply message to trigger a null pointer dereference. This vulnerability can lead to a system crash, resulting in a Denial of Service (DoS) for affected systems. Package: kernel (Red Hat E

CVE-2026-45994 [MEDIUM] CWE-1284 kernel: ibmasm: fix OOB reads in command_file_write due to missing size checks kernel: ibmasm: fix OOB reads in command_file_write due to missing size checks A flaw was found in the Linux kernel's ibmasm module. This vulnerability, an out-of-bounds read in the `command_file_write` function, allows an attacker to cause the system to read beyond the intended memory boundaries. By manipulating the allocation size and header fields, an attacker can trigger this flaw

CVE-2026-46078 [MEDIUM] CWE-805 kernel: erofs: fix the out-of-bounds nameoff handling for trailing dirents kernel: erofs: fix the out-of-bounds nameoff handling for trailing dirents A flaw was found in the Linux kernel's EROFS filesystem. A local attacker could exploit an out-of-bounds read vulnerability by creating a specially crafted EROFS image. This issue arises from incorrect calculations of directory entry name lengths, which can cause the system to read beyond allocated memory. Successfu

CVE-2026-45942 [MEDIUM] CWE-367 kernel: ext4: fix e4b bitmap inconsistency reports kernel: ext4: fix e4b bitmap inconsistency reports A flaw was found in the Linux kernel's ext4 filesystem. A race condition exists between page migration and bitmap modification within the `load_buddy` function. This can lead to bitmap inconsistencies and false positive corruption reports during certain workloads. This issue can affect data integrity reporting and system stability. Package: kernel (Red Hat Enter

CVE-2026-46064 [MEDIUM] CWE-125 kernel: ibmasm: fix heap over-read in ibmasm_send_i2o_message() kernel: ibmasm: fix heap over-read in ibmasm_send_i2o_message() A flaw was found in the Linux kernel's ibmasm module. A local root user can exploit a heap over-read vulnerability within the `ibmasm_send_i2o_message()` function. This vulnerability arises from insufficient validation of user-controlled input sizes, allowing the system to read beyond allocated memory. Such an exploit could lead to the d

CVE-2026-46047 [MEDIUM] CWE-825 kernel: net: qrtr: ns: Fix use-after-free in driver remove() kernel: net: qrtr: ns: Fix use-after-free in driver remove() A flaw was found in the Linux kernel's `qrtr` networking driver. During the driver's removal process, a timing issue can occur if a packet arrives after the work queue is destroyed but before the socket is released. This can cause the system to attempt to access memory that has already been freed, leading to a use-after-free vulnerability. Suc

CVE-2026-45846 [MEDIUM] CWE-476 kernel: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() kernel: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() A flaw was found in the bareudp driver of the Linux kernel. This vulnerability allows a local attacker to trigger a NULL pointer dereference in the `bareudp_fill_metadata_dst()` function. This occurs because the function attempts to access a NULL socket when the bareudp device is down, leading to a system crash

CVE-2026-46069 [MEDIUM] CWE-825 kernel: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() kernel: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() A flaw was found in the Linux kernel's mwifiex Wi-Fi driver. The `mwifiex_adapter_cleanup()` function incorrectly uses a non-synchronous timer deletion, allowing the `wakeup_timer` callback to access memory after it has been freed. This use-after-free vulnerability can lead to system instability, crashes, or potentially arb

CVE-2026-45985 [MEDIUM] CWE-367 kernel: ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O kernel: ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O A flaw was found in the Linux kernel's ext4 filesystem. When allocating blocks for direct I/O (DIO) and writeback, an incorrect flag handling during extent splitting could lead to a mismatch between the on-disk extent status and the extent status tree. This issue, particularly when a temporary er

CVE-2026-45842 [MEDIUM] CWE-476 kernel: slip: reject VJ receive packets on instances with no rstate array kernel: slip: reject VJ receive packets on instances with no rstate array A flaw was found in the Linux kernel's SLIP (Serial Line Internet Protocol) and PPP (Point-to-Point Protocol) components. An unprivileged local user can exploit this vulnerability by manipulating the PPPIOCSMAXCID ioctl to configure the SLIP Compressed Header (SLHC) state incorrectly. This misconfiguration leads to a

CVE-2026-46017 [MEDIUM] CWE-367 kernel: mm: fix deferred split queue races during migration kernel: mm: fix deferred split queue races during migration A flaw was found in the Linux kernel's memory management. A race condition in the deferred split queue during memory migration can lead to incorrect handling of memory pages. This issue may allow a local attacker to trigger a system warning, potentially causing system instability or a denial of service (DoS). In some cases, memory pages could al

CVE-2026-45962 [MEDIUM] CWE-1285 kernel: ublk: Validate SQE128 flag before accessing the cmd kernel: ublk: Validate SQE128 flag before accessing the cmd A flaw was found in the Linux kernel's userspace block (ublk) driver. This vulnerability allows a local attacker to cause an out-of-boundary memory access by providing a specially crafted command that bypasses the IO_URING_F_SQE128 flag check. This could lead to a system crash, resulting in a denial of service (DoS), or potentially enable infor

CVE-2026-45844 [MEDIUM] CWE-125 kernel: netfilter: arp_tables: fix IEEE1394 ARP payload parsing kernel: netfilter: arp_tables: fix IEEE1394 ARP payload parsing A flaw was found in the Linux kernel's netfilter ARP (Address Resolution Protocol) tables. When processing IPv4-over-IEEE1394 ARP packets on IEEE1394 interfaces, the kernel incorrectly parses the ARP payload. This can lead to incorrect filtering decisions by arptables, where packets that should be accepted may be dropped, and vice versa,

CVE-2026-45927 [MEDIUM] CWE-367 kernel: bpf: Require frozen map for calculating map hash kernel: bpf: Require frozen map for calculating map hash A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) subsystem. This vulnerability, a Time-of-check to time-of-use (TOCTOU) bug, allows a local attacker to modify the contents of a BPF map after its hash has been calculated but before it is frozen. Consequently, a trusted loader could be deceived into verifying an outdated hash, leading

CVE-2026-45891 [MEDIUM] CWE-825 kernel: net: hns3: fix double free issue for tx spare buffer kernel: net: hns3: fix double free issue for tx spare buffer A flaw was found in the Linux kernel's hns3 network driver. This double-free vulnerability occurs due to incorrect handling of the `tx_spare` buffer during ring parameter setup. If memory allocation fails in the error cleanup path, a stale pointer to backup memory is erroneously freed twice. This can be exploited by a local attacker, potential

CVE-2026-45974 [MEDIUM] CWE-390 kernel: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found kernel: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found A flaw was found in the Linux kernel's btrfs filesystem. The `btrfs_quota_enable()` function contains a logic error where it attempts to access an invalid memory location if a specific key is not found during a search operation. This incorrect handling of search results can lead to invalid leaf acc

CVE-2026-45843 [MEDIUM] CWE-125 kernel: slip: bound decode() reads against the compressed packet length kernel: slip: bound decode() reads against the compressed packet length A flaw was found in the Linux kernel's Serial Line Internet Protocol (SLIP) implementation. The `slhc_uncompress()` function, which handles VJ-compressed TCP headers, fails to perform proper bounds checks during packet processing. A remote attacker could exploit this by sending a specially crafted compressed frame, causin