Linux Kernel vulnerabilities

CVE-2026-46036 CWE-820 kernel: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex kernel: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex A flaw was found in the Linux kernel's vfio/cdx component. A race condition can occur during concurrent VFIO_DEVICE_SET_IRQS ioctls (input/output control calls), specifically within the vfio_cdx_set_msi_trigger() function. This allows two callers to interact in a way that leads to a use-after-free vulnerability of the cdx_irqs a

CVE-2026-46081 CWE-843 kernel: crypto: acomp - fix wrong pointer stored by acomp_save_req() kernel: crypto: acomp - fix wrong pointer stored by acomp_save_req() A flaw was found in the Linux kernel's asynchronous compression (`acomp`) subsystem. When an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface, an incorrect pointer is stored. This leads to memory corruption within the `acomp_reqchain_done()` function, which can

CVE-2026-46006 CWE-190 kernel: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check kernel: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check A flaw was found in the Linux kernel's `drm/nouveau` driver. An integer overflow vulnerability exists in the `nouveau_gem_pushbuf_reloc_apply()` function. This occurs when a 32-bit unsigned integer `reloc_bo_offset` is used in a bounds check, and the addition of a small value can cause it to wrap around, leading to an incorrect comparison

CVE-2026-45954 CWE-772 kernel: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() kernel: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() A flaw was found in the Linux kernel's `au1200fb` framebuffer driver. When the `platform_get_irq` function fails during the `au1200fb_drv_probe` process, the driver incorrectly returns an error without releasing allocated memory. This memory leak could be exploited by a local attacker, potentially leading to a Denial of Service (DoS) due to

CVE-2026-46091 CWE-821 kernel: media: rc: igorplugusb: heed coherency rules kernel: media: rc: igorplugusb: heed coherency rules A flaw was found in the `igorplugusb` component of the Linux kernel. The USB request structure, when handled by Direct Memory Access (DMA) on certain host controllers, did not properly follow DMA coherency rules. This oversight could lead to data integrity issues or unexpected system behavior, as the data might not be consistent across different memory views. Package

CVE-2026-45893 CWE-823 kernel: apparmor: Fix & Optimize table creation from possibly unaligned memory kernel: apparmor: Fix & Optimize table creation from possibly unaligned memory A flaw was found in the Linux kernel's AppArmor security module. This vulnerability occurs when AppArmor attempts to create tables from user-provided data that may be unaligned in memory. A local attacker could exploit this by providing specially crafted input, leading to unaligned memory accesses. This could res

CVE-2026-45936 CWE-364 kernel: power: supply: goldfish: Fix use-after-free in power_supply_changed() kernel: power: supply: goldfish: Fix use-after-free in power_supply_changed() A flaw was found in the Linux kernel's goldfish power supply driver. A race condition during driver removal or initialization can lead to a use-after-free vulnerability. This allows an interrupt to access a freed or uninitialized power supply handle, which can cause the system to crash, resulting in a Denial of Service

CVE-2026-45906 CWE-364 kernel: power: supply: pf1550: Fix use-after-free in power_supply_changed() kernel: power: supply: pf1550: Fix use-after-free in power_supply_changed() A flaw was found in the Linux kernel's power supply driver for the pf1550 component. A race condition during system shutdown or startup could lead to a use-after-free vulnerability. This issue allows an interrupt to access memory that has been deallocated or not yet initialized, potentially causing the system to crash or c

CVE-2026-45902 CWE-364 kernel: power: supply: bq256xx: Fix use-after-free in power_supply_changed() kernel: power: supply: bq256xx: Fix use-after-free in power_supply_changed() A flaw was found in the Linux kernel's bq256xx power supply driver. A race condition during device removal or probing can lead to a use-after-free vulnerability. This occurs when an interrupt handler attempts to access a power supply handle that has already been freed or is uninitialized. A local attacker could potential

CVE-2026-45978 CWE-476 kernel: staging: greybus: lights: avoid NULL deref kernel: staging: greybus: lights: avoid NULL deref A flaw was found in the Linux kernel's Greybus Lights subsystem. This vulnerability occurs when the `gb_lights_light_config()` function attempts to store a channel count before successfully allocating the corresponding channels array. If the memory allocation fails, a subsequent cleanup operation can try to access a non-existent memory location, leading to a null pointer

CVE-2026-45950 CWE-772 kernel: crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() kernel: crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() A flaw was found in the Linux kernel's `starfive_aes_aead_do_one_req()` function within the crypto: starfive component. This vulnerability occurs because memory allocated for `rctx->adata` is not properly freed if `sg_copy_to_buffer()` or `starfive_aes_hw_init()` operations fail. This can lead to memory leaks, potentiall

CVE-2026-46007 CWE-821 kernel: hwmon: (powerz) Avoid cacheline sharing for DMA buffer kernel: hwmon: (powerz) Avoid cacheline sharing for DMA buffer A flaw was found in the Linux kernel's hwmon (powerz) component. This vulnerability is caused by cacheline sharing between the transfer buffer and a mutex during Direct Memory Access (DMA) operations. This architectural issue can lead to unexpected behavior or data corruption, impacting system stability. The flaw is addressed by using high-level DM

CVE-2026-45889 CWE-369 kernel: mptcp: do not account for OoO in mptcp_rcvbuf_grow() kernel: mptcp: do not account for OoO in mptcp_rcvbuf_grow() A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. This vulnerability occurs due to incorrect accounting for out-of-order (OoO) data in the `mptcp_rcvbuf_grow()` function. A subtle and very unlikely race condition could lead to a divide-by-zero error, potentially causing a system crash (Denial of Service). Package: kernel (Re

CVE-2026-46041 CWE-833 kernel: greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() kernel: greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() A flaw was found in the Linux kernel's greybus subsystem. This vulnerability occurs when a function attempts to pause its execution while holding a critical system lock, a condition known as 'sleep in atomic context'. This improper handling can lead to a system crash, making the system unavailable and resulting in

CVE-2026-46008 CWE-833 kernel: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race kernel: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race A flaw was found in the Linux kernel's Data Access MONitor (DAMON) subsystem. A race condition exists in the memory management component, specifically during the exit process of `kdamond_fn()` and the registration of `damos_walk()` requests. This vulnerability allows a local attacker to trigger a deadlock, resulting in a Denial of Service (Do

CVE-2026-46080 CWE-770 kernel: ocfs2: split transactions in dio completion to avoid credit exhaustion kernel: ocfs2: split transactions in dio completion to avoid credit exhaustion A flaw was found in the Linux kernel's Oracle Cluster File System 2 (ocfs2) component. During direct I/O (DIO) write operations, specifically in the `ocfs2_dio_end_io_write` function, an issue with transaction splitting can lead to credit exhaustion in the Journaling Block Device 2 (JBD2) subsystem. This can be explo

CVE-2026-45918 CWE-476 kernel: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() kernel: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() A flaw was found in the Linux kernel's handling of OpenVPN (Open Virtual Private Network) TCP (Transmission Control Protocol) connections. A race condition can occur when a userspace process closes a socket while a peer is in the kernel's release list. This can lead to a null pointer dereference when the kernel attempts to detach

CVE-2026-46031 CWE-821 kernel: net: ks8851: Reinstate disabling of BHs around IRQ handler kernel: net: ks8851: Reinstate disabling of BHs around IRQ handler A flaw was found in the Linux kernel's ks8851 network driver. Under specific conditions related to network packet processing and interrupt handling, a race condition can occur. This vulnerability can lead to a system deadlock, causing the affected system to become unresponsive or crash. Package: kernel (Red Hat Enterprise Linux 10) - Not a

CVE-2026-45882 CWE-364 kernel: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() kernel: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() A flaw was found in the Linux kernel's power supply subsystem, specifically in the `pm8916_bms_vm` driver. A race condition during the deallocation and unregistration of the `power_supply` handle and its interrupt handler can lead to a use-after-free vulnerability. This allows an interrupt to be processed usi

CVE-2026-46019 CWE-763 kernel: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup kernel: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup A flaw was found in the Linux kernel's `atmel-aes` cryptographic driver. The `atmel_aes_buff_cleanup` function incorrectly deallocates memory, leading to a memory leak. Specifically, while `atmel_aes_buff_init()` allocates four pages of memory, `atmel_aes_buff_cleanup()` only frees one page, resulting in three pages of m