Linux Kernel vulnerabilities

CVE-2026-46170 [MEDIUM] CWE-911 kernel: mptcp: pm: ADD_ADDR rtx: free sk if last kernel: mptcp: pm: ADD_ADDR rtx: free sk if last A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. When an ADD_ADDR message is retransmitted, an issue in socket (sk) reference counting can prevent the socket from being properly freed. This improper resource management may lead to a Denial of Service (DoS) condition, where the system could become unresponsive due to indefinite waiting duri

CVE-2026-46193 [MEDIUM] CWE-823 kernel: xfrm: ah: account for ESN high bits in async callbacks kernel: xfrm: ah: account for ESN high bits in async callbacks A flaw was found in the Linux kernel's xfrm: ah component, which handles network security protocols. When Extended Sequence Number (ESN) is active, the kernel incorrectly processes parts of network packet data during security checks. This error can lead to the system dropping legitimate network traffic. An attacker could potentially exploi

CVE-2026-46121 [MEDIUM] CWE-367 kernel: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock kernel: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock A flaw was found in the Linux kernel's DAMON (Data Access MONitor) sysfs interface. A race condition exists between read and write operations on the `memcg_path` and `path` files. This allows a local attacker, by performing concurrent reads and writes with separate file handles, to trigger a use-after-fr

CVE-2026-46104 [MEDIUM] CWE-1083 kernel: selinux: use sk blob accessor in socket permission helpers kernel: selinux: use sk blob accessor in socket permission helpers A flaw was found in the Linux kernel's SELinux (Security-Enhanced Linux) socket permission helpers. In configurations where multiple Linux Security Modules (LSMs) are active, the system may incorrectly access socket security data. This can lead to invalid security identifiers (SIDs) and class values being used in Access Vector Cac

CVE-2026-46191 [MEDIUM] CWE-787 kernel: fbcon: Avoid OOB font access if console rotation fails kernel: fbcon: Avoid OOB font access if console rotation fails A flaw was found in the Linux kernel's framebuffer console (fbcon) component. When console rotation fails, the `fbcon_rotate_font()` function may keep an old font buffer that is too small for the rotated font. A local user printing to the rotated console with a high character code can trigger an out-of-bounds write, leading to memory corru

CVE-2026-46158 [MEDIUM] CWE-911 kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. When an ADD_ADDR message is retransmitted, a socket reference count may not be properly decreased, leading to a potential resource leak. Over time, this resource exhaustion could allow a remote attacker to cause a Denial of Service (DoS) by consuming system resources.

CVE-2026-46157 [MEDIUM] CWE-820 kernel: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger kernel: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger A flaw was found in the Linux kernel's Advanced Linux Sound Architecture (ALSA) Pulse Code Modulation (PCM) Open Sound System (OSS) subsystem. A data race vulnerability exists due to concurrent access to the `runtime.oss.trigger` field without proper protection. This unprotected access can lead to the overwriting of other b

CVE-2026-46132 [MEDIUM] CWE-908 kernel: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo kernel: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo A flaw was found in the Linux kernel's rtnetlink component. The `rtnl_fill_vfinfo` function declares a structure on the stack without full initialization. When processing RTM_GETLINK requests with a specific attribute, an unprivileged local process can exploit this to read up to 26 by

CVE-2026-46107 [MEDIUM] CWE-911 kernel: dm-thin: fix metadata refcount underflow kernel: dm-thin: fix metadata refcount underflow A flaw was found in the Linux kernel's Device Mapper (dm-thin) component. This vulnerability, a metadata reference count underflow, occurs in the `rebalance_children` function. When an internal btree node with a single entry is shared, the system incorrectly tracks the usage of child nodes. This can lead to 'device mapper: space map common: unable to decrement block'

CVE-2026-46190 [MEDIUM] CWE-788 kernel: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() kernel: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() A flaw was found in the Linux kernel's Memory Technology Device (MTD) SPI-NOR debugfs component. An out-of-bounds read vulnerability exists in the `spi_nor_params_show()` function due to an incorrect calculation of an array's size. This error allows a local attacker to read memory outside of the intended buf

CVE-2026-46115 [MEDIUM] CWE-372 kernel: block: add pgmap check to biovec_phys_mergeable kernel: block: add pgmap check to biovec_phys_mergeable A flaw was found in the Linux kernel's block subsystem. The `biovec_phys_mergeable` function, which combines physically contiguous memory segments, lacked a check to ensure these segments belonged to the same device page map (dev_pagemap). This omission could result in the incorrect identification of the page map for merged segments, potentially leading

CVE-2026-46137 [MEDIUM] CWE-821 kernel: mptcp: pm: ADD_ADDR rtx: fix potential data-race kernel: mptcp: pm: ADD_ADDR rtx: fix potential data-race A flaw was found in the Linux kernel, specifically within the Multipath TCP (MPTCP) implementation. The mptcp_pm_add_timer() helper, which is executed as a timer callback, does not properly hold the socket lock when operating in a softirq context. This oversight can lead to a potential data race, which may result in unpredictable system behavior or in

CVE-2026-46149 [MEDIUM] CWE-120 kernel: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() kernel: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() A flaw was found in the Linux kernel's SCSI target subsystem. This vulnerability, a buffer overflow, occurs in the `tg_pt_gp_members_show()` function when processing long iSCSI IQN names. An attacker could potentially exploit this by providing a specially crafted input, leading to the disclosure of s

CVE-2026-46144 [LOW] CWE-772 kernel: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() kernel: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() A flaw was found in the Linux kernel's Remote Direct Memory Access (RDMA) subsystem, specifically within the mana driver. During an error unwind in the `mana_ib_create_qp_rss()` function, a resource leak occurs where `mana_ib_cfg_vport_steering()` is not properly cleaned up. This vulnerability could lead to resource exhaustion over time, pote

CVE-2026-46136 [LOW] CWE-124 kernel: wifi: mt76: mt7921: fix a potential clc buffer length underflow kernel: wifi: mt76: mt7921: fix a potential clc buffer length underflow A flaw was found in the Linux kernel's wifi: mt76: mt7921 component. A buffer length underflow in the CLC (Country Logic Control) mechanism can occur due to changes in the power table. This issue may lead to an almost infinite loop or an invalid power setting, resulting in a Denial of Service (DoS) by causing driver initiali

CVE-2026-46224 [LOW] CWE-772 kernel: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure kernel: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure A flaw was found in the Linux kernel's drm/xe driver. When a buffer object allocation fails within the `xe_dma_buf_init_obj()` function, a pre-allocated storage buffer is not correctly released. This oversight can lead to a resource leak, potentially causing system instability or a denial of service (DoS) for affected

CVE-2026-46196 [LOW] CWE-459 kernel: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() kernel: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() A flaw was found in the Linux kernel. When a tracepoint (a mechanism for dynamic instrumentation) is registered, a failure during the probe installation process can lead to the registration's side effects persisting without a corresponding probe. This can cause a Denial of Service (DoS) by leaving s

CVE-2026-46140 [LOW] CWE-125 kernel: Bluetooth: btmtk: validate WMT event SKB length before struct access kernel: Bluetooth: btmtk: validate WMT event SKB length before struct access A flaw was found in the Linux kernel's Bluetooth subsystem, specifically within the `btmtk` driver. A remote attacker could exploit this vulnerability by sending a specially crafted Wireless Management Terminal (WMT) event response. The system processes these responses without properly validating the length of inco

CVE-2026-46235 [LOW] CWE-252 kernel: media: saa7164: add ioremap return checks and cleanups kernel: media: saa7164: add ioremap return checks and cleanups A flaw was found in the `saa7164` media driver in the Linux kernel. This vulnerability occurs due to missing return value checks for `ioremap` calls within the `saa7164_dev_setup()` function. If `ioremap` fails for BAR0 or BAR2, it can lead to null pointer dereferences and improper cleanup of PCI memory regions. This could allow a local attac

CVE-2026-46126 [LOW] CWE-459 kernel: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() kernel: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() A flaw was found in the Linux kernel's RDMA/mana component. This issue occurs during the error unwind flow in the `mana_ib_create_qp_rss()` function, specifically related to the Work Queue (WQ) table cleanup. Incorrect handling of the cleanup process, including a double decrement and an undone operation, coul