CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Linux kernel, a use-after-free vulnerability was found in ksmbd related to a deferred file_lock during double SMB2_CANCEL. A second cancel for the same AsyncId triggers the cancel callback on already freed memory, leading to a security breach.
An ABBA deadlock was found in the Linux kernel's iptfs_destroy_state() function in the IPTFS (IPsec) implementation. The issue occurs when the function calls hrtimer_cancel() while holding a spinlock also required by the timer callback, leading to a deadlock on SMP systems.
A heap overflow vulnerability was found in the io_ti USB serial driver in the Linux kernel. The get_manuf_info() function reads a Size field from the USB device that can be set up to 16377 bytes, while the destination buffer is only 10 bytes, causing a heap overflow of up to 16367 bytes. The fix adds validation of the descriptor length before reading.
In the Linux kernel, a vulnerability in the USB serial io_ti driver was found where build_i2c_fw_hdr() allocates a fixed-size buffer but copies user-controlled length data (up to 65535 bytes) without validation, causing a heap overflow.
A buffer overflow vulnerability was found in the kl5kusb105 USB serial driver in the Linux kernel. The klsi_105_prepare_write_buffer() function copies data from the fifo into a 64-byte buffer without accounting for the two-byte header, causing an out-of-bounds write. The issue was observed by KASAN during device emulation.
In the Linux kernel, a use-after-free vulnerability was found in the ALSA timer subsystem. When a timer object is freed via snd_timer_free, slave timer instances still point to the freed object, leading to potential memory corruption. The bug is easily triggered with the new userspace-driven timers (CONFIG_SND_UTIMER).
A use-after-free (UAF) vulnerability was found in the snd_timer_user_params() function of the ALSA driver in the Linux kernel. The issue occurs when a user timer (CONFIG_SND_UTIMER) is being closed while another thread concurrently executes the SNDRV_TIMER_IOCTL_PARAMS ioctl, which was not protected by the register_mutex. The patch adds the missing synchronization to prevent the race condition.
In the Linux kernel's io_uring/net subsystem, a vulnerability was found due to improper inheritance of the IORING_CQE_F_BUF_MORE flag during bundle recv retries. The flag was missing from the CQE_F_MASK, causing it to be dropped and leading to incorrect buffer management by userspace.
In the Linux kernel, a dma_fence refcount leak was found in the virtio-gpu driver. The function virtio_gpu_dma_fence_wait() fails to release the chain reference on early return from the loop on error, causing a memory leak.
In the Linux kernel, a vulnerability was found in __split_huge_pmd_locked() where the file/shmem RSS counter was updated after dropping the folio reference. If folio_put() released the last reference, subsequent reads of folio state by mm_counter_file() could access freed memory.
In the Linux kernel RDMA/core component, a vulnerability was found due to missing validation of the file operations structure (fops) in the ib_get_ucaps() function. An attacker can use a block device with the same device number (dev_t) to impersonate a legitimate ucap cdev device.
In the Linux kernel RDMA/core subsystem, the cpu_id attribute from user space is passed to cpumask_test_cpu() without validation, potentially causing an out-of-bounds read of the CPU bitmap. With CONFIG_DEBUG_PER_CPU_MAPS and panic_on_warn enabled, this can lead to a system reboot.
In the Linux kernel, the RDMA/SRP driver lacks validation of the sense data length copied from SRP_RSP responses. A malicious or compromised SRP target on InfiniBand/RoCE can set a large resp_data_len, causing an out-of-bounds read beyond the received buffer and potentially a page fault.
A use-after-free vulnerability was found in the zram_bvec_write_partial() function of the Linux kernel's zram driver. During partial write, the read from the backing device is performed asynchronously, and the buffer page is freed before the read completes, causing a write to freed memory.
In the Linux kernel, a vulnerability exists in the UDP receive path where skb->dev is repurposed as dev_scratch (state cache). When a UDP socket is in a sockmap, the SK_SKB verdict program may call a socket lookup helper (bpf_sk_lookup) that reads skb->dev as a net_device pointer, leading to a non-canonical address dereference and a general protection fault (GPF) in softirq context.
In the Linux kernel's MPTCP implementation, a vulnerability was found where the TCP receive window is artificially inflated. When data is acknowledged at the TCP level but is out-of-order in the MPTCP sequence space, the receive window cannot shrink, causing the receive buffer to be exceeded. The patch allows the TCP subflow to shrink the receive window regardless of network settings.
In the Linux kernel, a vulnerability was found in nl80211_parse_rnr_elems() where the element count is stored in an 8-bit field of the cfg80211_rnr_elems structure. Lack of proper validation before incrementing the counter may lead to buffer overflow when processing oversized EMA RNR lists.
In the Linux kernel, a leak of the sk_ack_backlog counter was found in the vsock/vmci driver during a failed handshake. This causes the counter to increase permanently, eventually blocking all new connections when the limit is reached.
A livelock vulnerability was found in the Linux kernel's timer migration mechanism in the tmigr_handle_remote_up() function. The issue stems from an incorrect assumption that the local softirq already handled the CPU's timers, causing timer_expire_remote() to be skipped and leading to an infinite loop.
In the Linux kernel, a buffer over-read vulnerability was found in the staging driver rtl8723bs in the rtw_update_protection function. The function is called with a pointer offset into the ies buffer but the full ie_length is passed, potentially causing a read beyond the allocated buffer.

