Linux Kernel vulnerabilities

CVE-2026-22991 [MEDIUM] CWE-476 CVE-2026-22991: In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_m In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label a

CVE-2025-71160 [MEDIUM] CVE-2025-71160: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid cha In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36

CVE-2025-71149 [MEDIUM] CVE-2025-71149: In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to upda

CVE-2025-71154 [MEDIUM] CWE-401 CVE-2025-71154: In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory l In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these alloca

CVE-2026-22978 [LOW] CVE-2026-22978: In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak fro In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero

CVE-2025-71148 [LOW] CVE-2025-71148: In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destruct In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_dest

CVE-2026-22977 [MEDIUM] CWE-476 CVE-2026-22977: In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercop In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the

CVE-2026-22976 [MEDIUM] CWE-476 CVE-2026-22976: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL de In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the

CVE-2025-71136 [HIGH] CWE-125 CVE-2025-71136: In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Ver

CVE-2025-71122 [HIGH] CVE-2025-71122: In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for ove In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the

CVE-2025-71143 [HIGH] CWE-129 CVE-2025-71143: In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: As In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the n

CVE-2025-71116 [HIGH] CWE-125 CVE-2025-71116: In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() mor In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds

CVE-2025-71123 [HIGH] CVE-2025-71123: In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in par In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So i

CVE-2025-71133 [HIGH] CWE-125 CVE-2025-71133: In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than st

CVE-2025-71110 [HIGH] CWE-416 CVE-2025-71110: In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in def In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the origin

CVE-2025-71137 [HIGH] CWE-787 CVE-2025-71137: In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G.

CVE-2025-71112 [HIGH] CWE-125 CVE-2025-71112: In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validati In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger

CVE-2025-71128 [MEDIUM] CVE-2025-71128: In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE str

CVE-2025-71103 [MEDIUM] CWE-476 CVE-2025-71103: In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencin In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 000

CVE-2025-71134 [MEDIUM] CVE-2025-71134: In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageb In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first