Linux Kernel vulnerabilities

CVE-2026-46204 CWE-125 kernel: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB kernel: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB A flaw was found in the Linux kernel's AMD GPU (Graphics Processing Unit) driver, specifically within the `drm/amdgpu/vcn4` component. This vulnerability allows for an out-of-bounds read when processing an Instruction Buffer (IB). An attacker could potentially exploit this to read sensitive information from memory or cause system instability. Package: ker

CVE-2026-46231 CWE-911 kernel: batman-adv: bla: put backbone reference on failed claim hash insert kernel: batman-adv: bla: put backbone reference on failed claim hash insert A flaw was found in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking - Advanced) Basic Link Arbitration (BLA) module. When the batadv_bla_add_claim() function fails to insert a new claim into the hash, it leaks a reference to the backbone_gw object. This resource leak can accumulate over time, pot

CVE-2026-46202 CWE-413 kernel: HID: appletb-kbd: run inactivity autodim from workqueues kernel: HID: appletb-kbd: run inactivity autodim from workqueues A flaw was found in the Linux kernel's Apple Touch Bar keyboard driver. This vulnerability allows the system to become unstable or crash (kernel panic) when the driver's inactivity autodim feature attempts to acquire a lock from an inappropriate execution context. This can be triggered by a local user interacting with the Touch Bar, leading to

CVE-2026-46239 CWE-911 kernel: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl kernel: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl A flaw was found in the Linux kernel's media: i2c: ov5647 driver. This issue occurs because certain control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) do not properly release power management (PM) runtime reference counts. This oversight can lead to a resource leak, potentially resulting in a Denial of Service (DoS) due to resource exha

CVE-2026-46110 CWE-476 kernel: net: stmmac: Prevent NULL deref when RX memory exhausted kernel: net: stmmac: Prevent NULL deref when RX memory exhausted A flaw was found in the Linux kernel's `stmmac` driver. When the system experiences receive (RX) memory exhaustion, the `stmmac_rx()` function can misinterpret already-processed data descriptors as valid, leading to a NULL pointer dereference. This vulnerability can cause the system to panic, resulting in a Denial of Service (DoS). Package: ke

CVE-2026-46142 CWE-1220 kernel: net: libwx: fix VF illegal register access kernel: net: libwx: fix VF illegal register access A flaw was found in the Linux kernel's `libwx` network driver. When a Virtual Function (VF) is initialized, it attempts to read a Physical Function (PF) restricted register, `WX_CFG_PORT_ST`. This illegal register access can lead to a system hang, resulting in a Denial of Service (DoS). Package: kernel (Red Hat Enterprise Linux 10) - Not affected Package: kernel (Red H

CVE-2026-46187 CWE-366 kernel: wifi: rsi: fix kthread lifetime race between self-exit and external-stop kernel: wifi: rsi: fix kthread lifetime race between self-exit and external-stop A flaw was found in the Linux kernel's Redpine Signals (RSI) Wi-Fi driver. A race condition, which occurs when multiple operations try to access the same resource simultaneously, exists in the management of kernel threads (kthreads), lightweight processes within the kernel. This can lead to a Use-After-Free (UAF)

CVE-2026-46122 CWE-125 kernel: wifi: b43: enforce bounds check on firmware key index in b43_rx() kernel: wifi: b43: enforce bounds check on firmware key index in b43_rx() A flaw was found in the Linux kernel's b43 Wi-Fi driver. A remote attacker could exploit this vulnerability by providing a specially crafted firmware key index that exceeds the allocated array size in the `b43_rx()` function. This out-of-bounds read could lead to information disclosure, potentially revealing sensitive data fro

CVE-2026-46147 CWE-772 kernel: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() kernel: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) for ARM64 architectures. During the vCPU initialization process, a pin leak can occur, leading to a permanent loss of references to host vCPU and SVE state pages. Additionally, a concurrent process might observe a partially initialized vCPU o

CVE-2026-46240 CWE-825 kernel: media: iris: Fix use-after-free in iris_release_internal_buffers() kernel: media: iris: Fix use-after-free in iris_release_internal_buffers() A flaw was found in the Linux kernel, specifically within the `media: iris` driver. This vulnerability, a use-after-free, occurs when a buffer is prematurely freed by `session_release_buf()` while `iris_release_internal_buffers()` continues to access it. This improper handling of memory can lead to system instability, crashe

CVE-2026-46143 CWE-772 kernel: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens kernel: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens A flaw was found in the Linux kernel's ASoC (Advanced Linux Sound Architecture on Chip) qcom q6apm-lpass-dai component. This vulnerability occurs because the `prepare` function can be invoked multiple times, leading to repeated graph openings for the playback path. This can result in memory leaks, potentially impacting system stability and performanc

CVE-2026-46183 CWE-413 kernel: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock kernel: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock A flaw was found in the Linux kernel's DAMON (Data Access MONitor) sysfs (system file system) component. This vulnerability, a use-after-free, occurs because the `damon_sysfs_quot_goal->path` buffer can be deallocated during a write operation without proper locking. A local user could exploit this race condition by reading t

CVE-2026-46108 CWE-372 kernel: ipmi:si: Return state to normal if message allocation fails kernel: ipmi:si: Return state to normal if message allocation fails A flaw was found in the Linux kernel's Intelligent Platform Management Interface (IPMI) System Interface (SI) driver. This vulnerability occurs when the driver fails to return to a normal operational state after a message allocation failure. This improper state handling can lead to the driver not starting correctly or remaining in an abno

CVE-2026-46223 CWE-833 kernel: cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated kernel: cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated A flaw was found in the Linux kernel's cgroup subsystem. This vulnerability occurs during the rmdir operation when the process initiating the rmdir is also responsible for cleaning up zombie processes that are holding onto process namespace (pidns) resources. This specific scenario can lead to a system deadlock, caus

CVE-2026-46163 CWE-1285 kernel: wifi: b43legacy: enforce bounds check on firmware key index in RX path kernel: wifi: b43legacy: enforce bounds check on firmware key index in RX path A flaw was found in the Linux kernel's `b43legacy` Wi-Fi driver. A remote attacker could exploit this vulnerability by sending specially crafted Wi-Fi frames, causing the firmware-controlled key index in the receive path to exceed its allocated bounds. This out-of-bounds read could lead to information disclosure fro

CVE-2026-46118 CWE-476 kernel: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() kernel: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() A flaw was found in the Linux kernel's `pseries/papr-hvpipe` component. A local user could trigger a null pointer dereference in the `papr_hvpipe_dev_create_handle()` function. This occurs when `src_info` is improperly re-used after being nulled, leading to a kernel panic. This vulnerability could result in a

CVE-2026-46198 CWE-190 kernel: batman-adv: fix integer overflow on buff_pos kernel: batman-adv: fix integer overflow on buff_pos A flaw was found in the Linux kernel's batman-adv component. An integer overflow in the `batadv_iv_ogm_send_to_if` function, specifically with the `buff_pos` variable, can lead to an out-of-bound read. This occurs because the size check uses an `int` type while `buff_pos` uses an `s16` type, causing a mismatch that could be exploited by a local attacker. Package: ker

CVE-2026-46154 CWE-825 kernel: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters kernel: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters A flaw was found in the Linux kernel, specifically within the `sched_ext` component. This vulnerability, a use-after-free, occurs in the cgroup setters when the `scx_root` pointer is cached before a required lock is acquired. This can lead to a stale pointer if a scheduler is disabled and then re-enabled, allowing a lo

CVE-2026-46211 CWE-390 kernel: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() kernel: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() A flaw was found in the Linux kernel's drm/msm/gem component. Improper error handling within the msm_ioctl_gem_info_get_metadata() function can lead to a NULL pointer dereference. This occurs because the function fails to check for allocation failures and incorrectly reports success even when operations fail. A local att

CVE-2026-46213 CWE-364 kernel: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path kernel: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path A flaw was found in the Linux kernel's Apple keyboard driver (appletb-kbd). A Use-After-Free (UAF) vulnerability exists in the inactivity-timer cleanup path during driver tear-down. This can occur due to race conditions between device cleanup and timer operations, or late event callbacks re-arming the timer. A local attacker could potential