CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-53238
Medium

A vulnerability was found in the Linux kernel's netlabel subsystem. The netlbl_unlabel_addrinfo_get() function did not validate the length of the mask attribute for unlabeled addresses, allowing a crafted Generic Netlink request with a valid IPv4/IPv6 address but a shorter mask. This caused incomplete data to be read as a full address structure, potentially leading to incorrect behavior or security issues.

CVE-2026-53237
Medium

A NULL pointer dereference vulnerability was found in the Linux kernel's GPIO driver for Marvell Armada. The suspend/resume functions are called for all GPIO banks, but only some support PWM. Accessing the mvpwm structure in a bank without PWM causes a kernel panic.

CVE-2026-53236
Medium

In the Linux kernel, a patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets to users with CAP_NET_ADMIN capability. This prevents side-channel attacks where an unprivileged application could leak TCP sequence numbers.

CVE-2026-53235
High

A vulnerability was found in the Linux kernel's skb_gro_receive_list() function, which calls skb_pull() without first ensuring data is in the linear area via pskb_may_pull(). For packets arriving via napi_gro_frags(), this can trigger a BUG_ON assertion failure and system crash.

CVE-2026-53234
High

A use-after-free vulnerability was found in the IBM EMAC network driver for the Linux kernel during device removal. Using devm_register_netdev() caused delayed unregister_netdev(), leading to access to freed hardware resources by interrupt handlers.

CVE-2026-53233
High

A double-free vulnerability was found in the Linux kernel's netdev_nl_bind_rx_doit() function. The error path incorrectly calls nlmsg_free(rsp) after genlmsg_reply() has already consumed the skb, causing a double-free. The fix propagates the error to the user instead of attempting to unbind.

CVE-2026-53232
High

In the Linux kernel, a vulnerability was found where sfp_bus_del_upstream() is not called in the probe failure path of the PHY driver. This leaves a dangling 'upstream' pointer in the sfp-bus structure, which may be used later during SFP events.

CVE-2026-53231
Medium

In the Linux kernel, a vulnerability was found where it attempts to set up PHY-driven SFP cages when using the generic genphy driver. This leads to a deadlock on the RTNL lock because for genphy, PHY probing runs under RTNL, unlike other drivers.

CVE-2026-53230
High

In the Linux kernel, a slab-out-of-bounds vulnerability was found in the mlx5 driver's mlx5_query_nic_vport_mac_list function. The firmware command buffer is sized based on PF capabilities, but querying a VF with a larger configuration causes the response to overflow the buffer.

CVE-2026-53229
High

In the mlx5e driver for Mellanox network cards, a DMA memory and XDP frame leak was discovered. When sending an XDP_TX packet in XSK mode, if the hardware queue is full, the function does not free the allocated frame or unmap the DMA address, leading to resource leakage.

CVE-2026-53228
Critical

In the Linux kernel, a vulnerability in the SIT (Simple Internet Transition) IPv6 module uses a stale inner IPv6 header pointer after GSO offloads. The ipip6_tunnel_xmit() function caches the pointer at entry, but iptunnel_handle_offloads() may relocate the skb buffer, causing reads from freed memory.

CVE-2026-53227
Medium

In the Linux kernel, the Open vSwitch module has a vulnerability where kfree_skb can be called on an ERR_PTR pointer. This occurs when the reply buffer allocation happens after locking the mutex, and on failure the pointer is not cleared, leading to an attempt to free an invalid pointer.

CVE-2026-53226
Medium

In the Linux kernel GPIO driver for Rockchip, a memory leak of generic IRQ chips occurs on driver removal. The chips are not freed, potentially leading to use-after-free and kernel crash.

CVE-2026-53225
Critical

A vulnerability was found in the Linux kernel's SCTP stack in the __sctp_rcv_asconf_lookup() function. An unauthenticated peer can send a truncated ASCONF chunk that declares an IPv6 address but ends after the parameter header, causing uninitialized memory to be read.

CVE-2026-53224
Critical

In the Linux kernel, sctp_unpack_cookie() lacked validation of the embedded INIT chunk length and address list length in SCTP cookies. A truncated INIT or oversized address list can cause out-of-bounds reads.

CVE-2026-53223
High

A vulnerability in the Linux kernel's timestamp cmsg handling for AF_PACKET sockets was found. The incorrect assumption that the PACKET_OUTGOING flag uniquely identifies error queue packets allows reading AF_PACKET control buffer state as sock_exterr_skb, potentially leading to memory disclosure or kernel panic.

CVE-2026-53222
Medium

In the Linux kernel, the ptp_ocp driver has a vulnerability due to incorrect resource freeing order. Pin resources are freed before ptp_clock_unregister() is called, leading to a use-after-free condition during driver removal.

CVE-2026-53221
Critical

In the Linux kernel, a bug was found in the vti6_tnl_lookup() function causing incorrect tunnel matching for IP6_VTI. During wildcard tunnel fallback search, missing checks allowed hash collisions to match tunnels without actual wildcard addresses.

CVE-2026-53220
Medium

In the Linux kernel, a vulnerability was found in netfilter where ebt_redirect_tg() dereferences br_port_get_rcu() return without NULL check, causing kernel panic when the bridge port is removed between hook invocation and NFQUEUE reinject. Userspace could also move the device to a different virtual interface, requiring packet drop.

CVE-2026-53219
Medium

In the Linux kernel netfilter/x_tables subsystem, a vulnerability allows leaking percpu counter pointers. During rule copy to userspace, a page fault may leave the raw percpu pointer in the user buffer before the sanitized counter is written.

PreviousPage 188 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS