Linux Kernel vulnerabilities

CVE-2026-46241 CWE-825 kernel: spi: mpc52xx: fix use-after-free on registration failure kernel: spi: mpc52xx: fix use-after-free on registration failure A flaw was found in the Linux kernel's `spi: mpc52xx` component. This use-after-free vulnerability occurs when the controller registration fails. An attacker could potentially exploit this flaw to cause a system crash or lead to a resource leak, impacting system stability and availability. Package: kernel (Red Hat Enterprise Linux 10) - Not af

CVE-2026-46220 CWE-1285 kernel: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission kernel: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission A flaw was found in the Linux kernel's AMDGPU graphics driver (drm/amdgpu/sdma4). An unprivileged local user could exploit this vulnerability by submitting specially crafted DRM_IOCTL_AMDGPU_CS commands with misaligned fence writeback addresses. This could trigger a BUG_ON assertion, leading to a fatal kernel panic and causing a

CVE-2026-46134 CWE-909 kernel: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration kernel: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration A flaw was found in the Linux kernel's `cros_ec_typec` component. This vulnerability occurs because a mutex, a mechanism used to prevent simultaneous access to shared resources, was not properly initialized during Thunderbolt registration. This oversight can lead to a NULL dereference, potentially causing system inst

CVE-2026-46232 CWE-805 kernel: HID: playstation: Clamp num_touch_reports kernel: HID: playstation: Clamp num_touch_reports A flaw was found in the Linux kernel's Human Interface Device (HID) PlayStation driver. A malicious device could provide an excessively large number of touch reports, leading to an out-of-bounds read in the `dualshock4_parse_report` function. This could allow an attacker to read up to 2 KiB of kernel memory, potentially leading to information disclosure. Package: kernel (R

CVE-2026-46109 CWE-772 kernel: usb: ulpi: fix memory leak on ulpi_register() error paths kernel: usb: ulpi: fix memory leak on ulpi_register() error paths A flaw was found in the Linux kernel's USB ULPI (Ultra Low Pin Interface) subsystem. This memory leak vulnerability occurs during error handling in the `ulpi_register()` function. If certain registration failures occur, allocated memory is not properly released, which could lead to resource exhaustion and potentially a denial of service (DoS)

CVE-2026-46164 CWE-1341 kernel: btrfs: fix double free in create_space_info_sub_group() error path kernel: btrfs: fix double free in create_space_info_sub_group() error path A flaw was found in the Linux kernel's btrfs filesystem. This vulnerability, a double free, occurs in the `create_space_info_sub_group()` function's error handling path. When `kobject_init_and_add()` fails, a memory region can be freed twice. This can lead to memory corruption, potentially resulting in a denial of service o

CVE-2026-46171 CWE-772 kernel: riscv: kvm: fix vector context allocation leak kernel: riscv: kvm: fix vector context allocation leak A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) for RISC-V architecture. This vulnerability occurs when a second memory allocation fails during the vector context setup, causing a previously allocated memory block to be leaked. Over time, repeated occurrences of this issue could lead to memory exhaustion, potentially impacting system stab

CVE-2026-46210 CWE-825 kernel: media: iris: fix use-after-free of fmt_src during MBPF check kernel: media: iris: fix use-after-free of fmt_src during MBPF check A flaw was found in the Linux kernel's iris media driver. A race condition can occur when the driver attempts to free a resource while it is still being accessed by another part of the system. This leads to a use-after-free vulnerability, where a program tries to use memory that has already been released. Exploiting this flaw could caus

CVE-2026-46221 CWE-772 kernel: EDAC/versalnet: Fix device name memory leak kernel: EDAC/versalnet: Fix device name memory leak A flaw was found in the Linux kernel's EDAC/versalnet component. A memory leak occurs because the device name, allocated during initialization, is not properly freed. Over time, this unreleased memory could lead to resource exhaustion, potentially impacting system stability and availability. Package: kernel (Red Hat Enterprise Linux 10) - Not affected Package: kernel

CVE-2026-46148 CWE-372 kernel: spi: microchip-core-qspi: control built-in cs manually kernel: spi: microchip-core-qspi: control built-in cs manually A flaw was found in the Linux kernel's microchip-core-qspi driver. When multiple devices are connected to the QSPI controller, the built-in chip select (CS) was automatically set to an active state even when Linux attempted to access a device using a General Purpose Input/Output (GPIO) pin for its chip select. This incorrect chip select behavior co

CVE-2026-46090 [HIGH] CWE-364 kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop A flaw was found in the Linux kernel's ALSA (Advanced Linux Sound Architecture) aloop driver. This Use-After-Free (UAF) vulnerability occurs when loopback_check_format() stops the capture side during a format change, while a concurrent close operation detaches or frees the runtime. An attacker could potentially exploit this to caus

CVE-2026-45898 [HIGH] CWE-1341 kernel: RDMA/iwcm: Fix workqueue list corruption by removing work_list kernel: RDMA/iwcm: Fix workqueue list corruption by removing work_list A flaw was found in the Linux kernel's Remote Direct Memory Access (RDMA) Internet Wide Area RDMA Protocol (iWARP) subsystem. Incorrect work submission logic in the `iwcm` component can lead to multiple queueing of work items. This allows a work item to be processed and freed while still present in the workqueue, causing lis

CVE-2026-46086 [HIGH] CWE-367 kernel: net: bridge: use a stable FDB dst snapshot in RCU readers kernel: net: bridge: use a stable FDB dst snapshot in RCU readers A flaw was found in the Linux kernel. Inconsistent handling of local Forwarding Database (FDB) entries in the bridge networking component's RCU (Read-Copy-Update) readers can lead to a null-pointer dereference. A local attacker could exploit this by triggering a concurrent update to an FDB entry, causing the system to crash and resulti

CVE-2026-45984 [HIGH] CWE-826 kernel: gfs2: Fix use-after-free in iomap inline data write path kernel: gfs2: Fix use-after-free in iomap inline data write path A flaw was found in the Linux kernel's GFS2 filesystem. This memory corruption vulnerability, a use-after-free, occurs in the iomap inline data write path. The issue arises because a data buffer is released prematurely while still being referenced, leading to a write to freed memory. This could allow a local attacker to cause system inst

CVE-2026-45975 [HIGH] CWE-820 kernel: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd kernel: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd A flaw was found in the Linux kernel's `ublk` subsystem. A local attacker could exploit a race condition where the kernel reads `struct ublksrv_ctrl_cmd` from userspace-mapped memory without proper synchronization. This allows a malicious user to concurrently write to the structure, potentially causing the kernel to operate on inconsistent dat

CVE-2026-46056 [HIGH] CWE-413 kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers A flaw was found in the Linux kernel's Bluetooth subsystem. This vulnerability, a Use-After-Free (UAF), exists within the Secure Simple Pairing (SSP) passkey handlers. It occurs when `hci_conn` lookup and field access are performed without proper locking, allowing a connection to be freed concurrently. This could potentiall

CVE-2026-46099 [HIGH] CWE-911 kernel: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels kernel: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels A flaw was found in the Linux kernel's IPv6 networking implementation, specifically within the `seg6` and `rpl` lwtunnels. A race condition can occur when handling destination cache entries, where a `NOREF` (no reference) destination object is used after it has been freed. This use-after-free vulnerability can lead to system instability or a

CVE-2026-45972 [HIGH] CWE-825 kernel: smb: client: fix potential UAF and double free in smb2_open_file() kernel: smb: client: fix potential UAF and double free in smb2_open_file() A flaw was found in the Linux kernel's Server Message Block (SMB) client. This vulnerability, within the `smb2_open_file()` function, could allow an attacker to cause memory corruption due to improper handling of memory during file open operations. This could lead to system instability or potentially enable an attacke

CVE-2026-45998 [HIGH] CWE-825 kernel: rxrpc: Fix potential UAF after skb_unshare() failure kernel: rxrpc: Fix potential UAF after skb_unshare() failure A flaw was found in the Linux kernel's `rxrpc` subsystem. This vulnerability arises when the system attempts to unshare a packet buffer, and the operation fails due to an allocation issue. This failure can lead to a Use-After-Free (UAF) condition, where the system attempts to access memory that has been freed, potentially causing a system crash.

CVE-2026-45837 [HIGH] CWE-825 kernel: bpf: Fix use-after-free in arena_vm_close on fork kernel: bpf: Fix use-after-free in arena_vm_close on fork A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the `arena_vm_close` function during a `fork` operation. This occurs because the child's Virtual Memory Area (VMA) is not correctly registered, leading to a dangling pointer. If a child process attempts to access this stale pointer, it can trigger memory corruption, potenti