CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-53258
Medium

A memory leak in the Linux kernel's Wi-Fi subsystem has been identified during 6 GHz scanning. The rdev->int_scan_req object is not freed when cfg80211_scan() fails because rdev->scan_req remains NULL, preventing proper memory release in ___cfg80211_scan_done().

CVE-2026-53257
Medium

In the Linux kernel, a vulnerability in the cfg80211 subsystem could cause a crash in mac80211 when eht_cap is set but eht_oper is missing. Consistency enforcement for HE/EHT elements has been added to prevent this.

CVE-2026-53256
High

A use-after-free vulnerability was found in the Linux kernel's Bluetooth RFCOMM subsystem in the rfcomm_connect_ind() function. The issue stems from missing reference counting on the listening socket after leaving the rfcomm_sk_list lock, allowing a race condition with socket closure and potential exploitation.

CVE-2026-53255
High

In the Linux kernel Bluetooth stack, an out-of-bounds read vulnerability was found in tlv_data_is_valid(). A malformed MGMT_OP_ADD_ADVERTISING request can cause reading one byte past the allocated buffer, as reported by KASAN.

CVE-2026-53254
High

In the Linux kernel, a vulnerability in Bluetooth RFCOMM MCC handlers fails to validate skb length before accessing data. A remote attacker can send truncated MCC frames, triggering out-of-bounds reads.

CVE-2026-53253
High

A vulnerability was found in the Linux kernel's Bluetooth BNEP subsystem due to missing frame length validation before parsing. A remote attacker can send a short BNEP SDU frame, causing a slab-out-of-bounds read and potentially system instability.

CVE-2026-53252
Medium

A memory leak in the error path of hci_alloc_dev() in the Linux kernel was fixed. When Bluetooth HCI UART device initialization fails before registration, the HCI_UNREGISTER flag is not set, bypassing hci_release_dev() and leaking SRCU percpu memory. The fix explicitly calls cleanup_srcu_struct() in the unregistered branch of bt_host_release().

CVE-2026-53251
Medium

In the Linux kernel Bluetooth ISO subsystem, a reference leak of the hci_dev structure was found. The iso_conn_big_sync function fails to release the reference obtained by hci_get_route(), leading to memory exhaustion.

CVE-2026-53250
High

A TOCTOU vulnerability was found in the Linux kernel's xsk_skb_metadata() function related to TX metadata processing in the XSK mechanism. A malicious userspace application can race to overwrite csum_start and csum_offset values between two reads, bypassing bounds validation and causing out-of-bounds memory access during checksum computation.

CVE-2026-53249
Medium

In the Linux kernel, the ability to set IP LSRR and SSRR options has been restricted to users with CAP_NET_RAW capability. This prevents unprivileged applications from forcing packet routing through attacker-controlled nodes to leak TCP ISN and other protocol information.

CVE-2026-53248
High

In the Linux kernel's airoha network driver, a use-after-free vulnerability was found in metadata dst teardown. The metadata_dst_free() function freed memory directly via kfree(), bypassing the RCU grace period, allowing access to freed memory through noref pointers in the RX path.

CVE-2026-53247
Critical

In the Linux kernel's mtk_eth_soc network driver, a use-after-free vulnerability was found. The mtk_free_dev() function calls metadata_dst_free() which immediately frees the metadata_dst memory, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, which can lead to accessing freed memory if any skb still holds that pointer during driver teardown.

CVE-2026-53246
Critical

In the Linux kernel SCTP stack, the length of a cached INIT chunk in COOKIE_ECHO processing was not validated. Missing validation can lead to out-of-bounds reads and potential memory corruption.

CVE-2026-53245
Medium

In the Linux kernel MRP subsystem, a vulnerability was found in the mrp_pdu_parse_vecattr() function. Parsing errors in vector attributes can lead to incorrect packet processing, including spurious events, skipped FirstValue fields, and incorrect attribute value incrementation.

CVE-2026-53244
High

In the Linux kernel, a vulnerability in nfsd4_create_file() can cause a failure to release a lock on the parent directory due to improper error handling from dentry_create(). This occurs when an exported filesystem uses atomic_create() and returns an error.

CVE-2026-53243
Medium

A vulnerability in the Linux kernel uses an uninitialized stack variable in rseq_exit_user_update(). The issue stems from undefined initialization order in C structure fields, causing kernel information leak.

CVE-2026-53242
High

A vulnerability was found in the Linux kernel's ALSA PCM driver, where snd_pcm_drain() can corrupt wait queues when handling linked streams. The bug stems from improper wait entry management, potentially leading to a NULL pointer dereference and kernel panic.

CVE-2026-53241
Medium

In the Linux kernel, the ALSA seq dummy driver has a vulnerability involving a stack overread when processing UMP events. Copying an event into a temporary structure smaller than struct snd_seq_ump_event causes out-of-bounds reads when delivering to subscribers.

CVE-2026-53240
High

A use-after-free vulnerability was found in the Linux kernel's xfrm IPsec module in the __input_process_payload function. The issue occurs when first_skb is stored in xtfs->ra_newskb without a lock, allowing another thread to free it, leading to use-after-free.

CVE-2026-53239
High

A use-after-free vulnerability was found in the Linux kernel's XFRM policy mechanism. The bug occurs in xfrm_policy_bysel_ctx() when deleting a policy, as the xfrm_policy_lock is released before pruning the inexact bin, leading to a race condition and use of freed memory.

PreviousPage 187 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS