CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Linux kernel, a vulnerability in the netfilter nft_exthdr module causes the register bitmap to mark more bytes as initialized than actually written when the F_PRESENT flag is set. If priv->len exceeds 4 bytes, registers beyond the first retain uninitialized stack data, leading to information disclosure.
In the Linux kernel, the mvpp2 driver had a DMA synchronization bug for received packets. The CPU sync function started at an incorrect offset, missing data at the packet tail and syncing unused headroom. On non-coherent DMA systems, this can cause the CPU to read stale cache contents.
In the Linux kernel, the mvpp2 driver incorrectly initializes the XDP frame size (frame_sz) to PAGE_SIZE instead of the actual RX buffer size from the BM pool. This allows bpf_xdp_adjust_tail() to grow a packet beyond the allocated buffer, causing memory corruption.
In the Linux kernel, a vulnerability in the mvpp2 driver allows an RX buffer to be returned to the BM pool after being handed to XDP or skb, causing use-after-free. The fix reorders operations to refill the BM pool before handing the buffer to XDP or skb.
A vulnerability was found in the Linux kernel's cleanup_prefix_route() function for IPv6. The addrconf_get_prefix_route() function can return the fib6_null_entry sentinel with a NULL fib6_table pointer, causing a NULL pointer dereference (NPD) when setting the route expiration time. The fix adds a check before operating on the entry.
In the Linux kernel DRM vc4 driver, a memory leak was discovered due to improper use of krealloc(). Overwriting the original pointer without checking for NULL return value loses the reference to previously allocated memory if reallocation fails.
A use-after-free vulnerability was found in the Linux kernel's nft_tunnel module. The nft_tunnel_obj_destroy() function calls metadata_dst_free() which directly frees the metadata_dst memory, ignoring the dst_entry refcount. Packets that hold a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g., in a netem qdisc) are left with a dangling pointer, leading to use-after-free when dequeued.
In the Linux kernel, a vulnerability in the netfilter nft_meta_bridge module causes the IIFHWADDR register to declare 8 bytes but copy only 6 bytes of MAC address, leaving 2 bytes uninitialized on the stack. This can leak stack data to userspace.
A shared memory (shm) leak was found in the register_shm_helper() function of the TEE driver in the Linux kernel. When iov_iter_npages() returns 0, the function jumps to err_ctx_put, skipping the deallocation of previously allocated shm. The issue can be triggered by TEE_IOC_SHM_REGISTER with zero data length.
A vulnerability was found in the Linux kernel's Bluetooth stack where hci_adv_bcast_annoucement() can cause a temporary buffer overflow when preparing Broadcast Announcement data. The issue occurs when existing advertising instances already hold the maximum extended advertising payload, and prepending service data exceeds the buffer capacity.
In the Linux kernel's Bluetooth L2CAP subsystem, a vulnerability allows an unauthenticated BR/EDR peer within radio range to send a signaling packet larger than the allowed MTU (MTUsig). Such a packet can contain multiple ECHO_REQ commands, forcing the target device to send many ECHO_RSP responses, potentially leading to overload.
A deadlock vulnerability (AA deadlock) was found in the Linux kernel's memory failure handling. Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can cause a recursive spinlock self-deadlock on hugetlb_lock when racing with a concurrent unmap.
In the Linux kernel, the accel/ivpu driver now validates firmware runtime memory bounds. Missing bounds check could cause memory allocation and image transfer errors.
In the Linux kernel, the accel/ivpu driver now validates firmware log buffer read/write indices against buffer size. Missing bounds checks could allow out-of-bounds memory access when firmware supplies invalid indices.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the stratix10-rsu driver. The issue occurs when rsu_send_msg() returns -ETIMEDOUT and the code continues processing on a channel whose scl structure has already been cleared, leading to a NULL dereference in the svc kthread.
In the Linux kernel, a buffer overflow check was added in the accel/ivpu driver's get_info_ioctl function. Missing validation of the size returned by firmware could lead to copying data beyond the allocated buffer.
In the Linux kernel, the accel/ivpu driver has a vulnerability in IPC receive due to signed integer truncation. Large unsigned values (>= 0x80000000) from firmware are cast to signed int, causing negative values and stack buffer overflow during memcpy.
In the Linux kernel, an optimization that skipped exec queue schedule toggle during suspend was reverted because it bypassed GuC suspend, preventing context switch TLB flush for invalidated userptr VMAs. This caused page faults in userptr invalidation tests in LR/preempt-fence VM mode.
A vulnerability was found in the Linux kernel's KVM for ARM64, affecting the handling of the XN[0] bit when FEAT_XNX is not supported. The bug incorrectly uses FIELD_PREP() on the mask that clears XN[0], unconditionally granting execute permissions.
In the Linux kernel, the hv_netvsc driver used phys_to_virt() for mapping memory pages, which on 32-bit x86 with CONFIG_HIGHMEM=y causes memory access faults and system crashes. The fix replaces phys_to_virt() with kmap_local_page() to correctly handle pages outside the kernel direct map.

