Linux Kernel vulnerabilities

CVE-2026-46168 [MEDIUM] CWE-821 kernel: mptcp: fix scheduling with atomic in timestamp sockopt kernel: mptcp: fix scheduling with atomic in timestamp sockopt A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. This vulnerability stems from an unsafe operation where `lock_sock_fast()`, intended for atomic contexts, is used with functions like `sock_set_timestamp()` and `sock_set_timestamping()` that can cause the system to sleep. Such an operation can lead to a 'scheduli

CVE-2026-46127 [MEDIUM] CWE-824 kernel: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() kernel: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() A flaw was found in the Linux kernel, specifically within the RDMA (Remote Direct Memory Access) ocrdma driver. This vulnerability arises from an uninitialized pointer in the `ocrdma_copy_pd_uresp()` function's error handling, which can lead to a NULL dereference. An attacker could exploit this to cause a sy

CVE-2026-46162 [MEDIUM] CWE-1341 kernel: ice: fix double free in ice_sf_eth_activate() error path kernel: ice: fix double free in ice_sf_eth_activate() error path A flaw was found in the Linux kernel's ice driver. An error in the `ice_sf_eth_activate()` function's error handling path can lead to a double free of memory. This occurs when `auxiliary_device_add()` fails, causing `kfree(sf_dev)` to be called twice. This vulnerability could lead to memory corruption or a denial of service (DoS) cond

CVE-2026-46185 [MEDIUM] CWE-125 kernel: smb/client: fix out-of-bounds read in symlink_data() kernel: smb/client: fix out-of-bounds read in symlink_data() A flaw was found in the Linux kernel's Server Message Block (SMB) client. This vulnerability arises from insufficient length validation in the `smb2_check_message()` function when processing symlink error responses. A remote attacker could exploit this by sending a specially crafted symlink error response, which may lead to an out-of-bounds re

CVE-2026-46113 [MEDIUM] CWE-825 kernel: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN kernel: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN A flaw was found in the Linux kernel's KVM (Kernel-based Virtual Machine) x86 shadow paging mechanism. This use-after-free vulnerability arises from incorrect handling of Guest Frame Numbers (GFNs) when guest page tables are modified. A local attacker with control over a guest virtual machine could exploit this to deref

CVE-2026-46160 [MEDIUM] CWE-911 kernel: btrfs: fix missing last_unlink_trans update when removing a directory kernel: btrfs: fix missing last_unlink_trans update when removing a directory A flaw was found in the Linux kernel's Btrfs filesystem. This vulnerability occurs when the `last_unlink_trans` field is not properly updated during directory removal. If a user maintains an open file descriptor to a removed directory and subsequently performs a filesystem synchronization (fsync) operation, it

CVE-2026-46172 [MEDIUM] CWE-772 kernel: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() kernel: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() A flaw was found in the Linux kernel's IPv6 (Internet Protocol version 6) xfrm6 component. When processing encapsulated IPv6 packets, the `xfrm6_rcv_encap()` function fails to release a destination (dst) entry reference if an IPv6 route lookup results in an error. A remote attacker could exploit this by sending repeated malformed IPv6 pack

CVE-2026-46139 [MEDIUM] CWE-909 kernel: smb: client: use kzalloc to zero-initialize security descriptor buffer kernel: smb: client: use kzalloc to zero-initialize security descriptor buffer A flaw was found in the Linux kernel's Server Message Block (SMB) client. When building an Access Control List (ACL) descriptor, a buffer was not properly zero-initialized, leaving a reserved field with uninitialized heap data. This can lead to Samba rejecting the security descriptor, causing `chmod` operati

CVE-2026-46114 [MEDIUM] CWE-130 kernel: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads kernel: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads A flaw was found in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the rxe driver. A remote attacker could exploit this vulnerability by sending a specially crafted ATOMIC_WRITE request with a zero-byte payload. This improper handling of non-8-byte ATOMIC_WRITE payloads allows the attacker to read past the inten

CVE-2026-46170 [MEDIUM] CWE-911 kernel: mptcp: pm: ADD_ADDR rtx: free sk if last kernel: mptcp: pm: ADD_ADDR rtx: free sk if last A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. When an ADD_ADDR message is retransmitted, an issue in socket (sk) reference counting can prevent the socket from being properly freed. This improper resource management may lead to a Denial of Service (DoS) condition, where the system could become unresponsive due to indefinite waiting duri

CVE-2026-46193 [MEDIUM] CWE-823 kernel: xfrm: ah: account for ESN high bits in async callbacks kernel: xfrm: ah: account for ESN high bits in async callbacks A flaw was found in the Linux kernel's xfrm: ah component, which handles network security protocols. When Extended Sequence Number (ESN) is active, the kernel incorrectly processes parts of network packet data during security checks. This error can lead to the system dropping legitimate network traffic. An attacker could potentially exploi

CVE-2026-46121 [MEDIUM] CWE-367 kernel: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock kernel: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock A flaw was found in the Linux kernel's DAMON (Data Access MONitor) sysfs interface. A race condition exists between read and write operations on the `memcg_path` and `path` files. This allows a local attacker, by performing concurrent reads and writes with separate file handles, to trigger a use-after-fr

CVE-2026-46104 [MEDIUM] CWE-1083 kernel: selinux: use sk blob accessor in socket permission helpers kernel: selinux: use sk blob accessor in socket permission helpers A flaw was found in the Linux kernel's SELinux (Security-Enhanced Linux) socket permission helpers. In configurations where multiple Linux Security Modules (LSMs) are active, the system may incorrectly access socket security data. This can lead to invalid security identifiers (SIDs) and class values being used in Access Vector Cac

CVE-2026-46191 [MEDIUM] CWE-787 kernel: fbcon: Avoid OOB font access if console rotation fails kernel: fbcon: Avoid OOB font access if console rotation fails A flaw was found in the Linux kernel's framebuffer console (fbcon) component. When console rotation fails, the `fbcon_rotate_font()` function may keep an old font buffer that is too small for the rotated font. A local user printing to the rotated console with a high character code can trigger an out-of-bounds write, leading to memory corru

CVE-2026-46158 [MEDIUM] CWE-911 kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. When an ADD_ADDR message is retransmitted, a socket reference count may not be properly decreased, leading to a potential resource leak. Over time, this resource exhaustion could allow a remote attacker to cause a Denial of Service (DoS) by consuming system resources.

CVE-2026-46157 [MEDIUM] CWE-820 kernel: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger kernel: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger A flaw was found in the Linux kernel's Advanced Linux Sound Architecture (ALSA) Pulse Code Modulation (PCM) Open Sound System (OSS) subsystem. A data race vulnerability exists due to concurrent access to the `runtime.oss.trigger` field without proper protection. This unprotected access can lead to the overwriting of other b

CVE-2026-46132 [MEDIUM] CWE-908 kernel: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo kernel: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo A flaw was found in the Linux kernel's rtnetlink component. The `rtnl_fill_vfinfo` function declares a structure on the stack without full initialization. When processing RTM_GETLINK requests with a specific attribute, an unprivileged local process can exploit this to read up to 26 by

CVE-2026-46107 [MEDIUM] CWE-911 kernel: dm-thin: fix metadata refcount underflow kernel: dm-thin: fix metadata refcount underflow A flaw was found in the Linux kernel's Device Mapper (dm-thin) component. This vulnerability, a metadata reference count underflow, occurs in the `rebalance_children` function. When an internal btree node with a single entry is shared, the system incorrectly tracks the usage of child nodes. This can lead to 'device mapper: space map common: unable to decrement block'

CVE-2026-46190 [MEDIUM] CWE-788 kernel: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() kernel: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() A flaw was found in the Linux kernel's Memory Technology Device (MTD) SPI-NOR debugfs component. An out-of-bounds read vulnerability exists in the `spi_nor_params_show()` function due to an incorrect calculation of an array's size. This error allows a local attacker to read memory outside of the intended buf

CVE-2026-46115 [MEDIUM] CWE-372 kernel: block: add pgmap check to biovec_phys_mergeable kernel: block: add pgmap check to biovec_phys_mergeable A flaw was found in the Linux kernel's block subsystem. The `biovec_phys_mergeable` function, which combines physically contiguous memory segments, lacked a check to ensure these segments belonged to the same device page map (dev_pagemap). This omission could result in the incorrect identification of the page map for merged segments, potentially leading