CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A memory leak in the Linux kernel's Wi-Fi subsystem has been identified during 6 GHz scanning. The rdev->int_scan_req object is not freed when cfg80211_scan() fails because rdev->scan_req remains NULL, preventing proper memory release in ___cfg80211_scan_done().
In the Linux kernel, a vulnerability in the cfg80211 subsystem could cause a crash in mac80211 when eht_cap is set but eht_oper is missing. Consistency enforcement for HE/EHT elements has been added to prevent this.
A use-after-free vulnerability was found in the Linux kernel's Bluetooth RFCOMM subsystem in the rfcomm_connect_ind() function. The issue stems from missing reference counting on the listening socket after leaving the rfcomm_sk_list lock, allowing a race condition with socket closure and potential exploitation.
In the Linux kernel Bluetooth stack, an out-of-bounds read vulnerability was found in tlv_data_is_valid(). A malformed MGMT_OP_ADD_ADVERTISING request can cause reading one byte past the allocated buffer, as reported by KASAN.
In the Linux kernel, a vulnerability in Bluetooth RFCOMM MCC handlers fails to validate skb length before accessing data. A remote attacker can send truncated MCC frames, triggering out-of-bounds reads.
A vulnerability was found in the Linux kernel's Bluetooth BNEP subsystem due to missing frame length validation before parsing. A remote attacker can send a short BNEP SDU frame, causing a slab-out-of-bounds read and potentially system instability.
A memory leak in the error path of hci_alloc_dev() in the Linux kernel was fixed. When Bluetooth HCI UART device initialization fails before registration, the HCI_UNREGISTER flag is not set, bypassing hci_release_dev() and leaking SRCU percpu memory. The fix explicitly calls cleanup_srcu_struct() in the unregistered branch of bt_host_release().
In the Linux kernel Bluetooth ISO subsystem, a reference leak of the hci_dev structure was found. The iso_conn_big_sync function fails to release the reference obtained by hci_get_route(), leading to memory exhaustion.
A TOCTOU vulnerability was found in the Linux kernel's xsk_skb_metadata() function related to TX metadata processing in the XSK mechanism. A malicious userspace application can race to overwrite csum_start and csum_offset values between two reads, bypassing bounds validation and causing out-of-bounds memory access during checksum computation.
In the Linux kernel, the ability to set IP LSRR and SSRR options has been restricted to users with CAP_NET_RAW capability. This prevents unprivileged applications from forcing packet routing through attacker-controlled nodes to leak TCP ISN and other protocol information.
In the Linux kernel's airoha network driver, a use-after-free vulnerability was found in metadata dst teardown. The metadata_dst_free() function freed memory directly via kfree(), bypassing the RCU grace period, allowing access to freed memory through noref pointers in the RX path.
In the Linux kernel's mtk_eth_soc network driver, a use-after-free vulnerability was found. The mtk_free_dev() function calls metadata_dst_free() which immediately frees the metadata_dst memory, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, which can lead to accessing freed memory if any skb still holds that pointer during driver teardown.
In the Linux kernel SCTP stack, the length of a cached INIT chunk in COOKIE_ECHO processing was not validated. Missing validation can lead to out-of-bounds reads and potential memory corruption.
In the Linux kernel MRP subsystem, a vulnerability was found in the mrp_pdu_parse_vecattr() function. Parsing errors in vector attributes can lead to incorrect packet processing, including spurious events, skipped FirstValue fields, and incorrect attribute value incrementation.
In the Linux kernel, a vulnerability in nfsd4_create_file() can cause a failure to release a lock on the parent directory due to improper error handling from dentry_create(). This occurs when an exported filesystem uses atomic_create() and returns an error.
A vulnerability in the Linux kernel uses an uninitialized stack variable in rseq_exit_user_update(). The issue stems from undefined initialization order in C structure fields, causing kernel information leak.
A vulnerability was found in the Linux kernel's ALSA PCM driver, where snd_pcm_drain() can corrupt wait queues when handling linked streams. The bug stems from improper wait entry management, potentially leading to a NULL pointer dereference and kernel panic.
In the Linux kernel, the ALSA seq dummy driver has a vulnerability involving a stack overread when processing UMP events. Copying an event into a temporary structure smaller than struct snd_seq_ump_event causes out-of-bounds reads when delivering to subscribers.
A use-after-free vulnerability was found in the Linux kernel's xfrm IPsec module in the __input_process_payload function. The issue occurs when first_skb is stored in xtfs->ra_newskb without a lock, allowing another thread to free it, leading to use-after-free.
A use-after-free vulnerability was found in the Linux kernel's XFRM policy mechanism. The bug occurs in xfrm_policy_bysel_ctx() when deleting a policy, as the xfrm_policy_lock is released before pruning the inexact bin, leading to a race condition and use of freed memory.

