CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Linux kernel, the rtl8723bs staging driver for Realtek WiFi chipsets lacks bounds checks before subtracting fixed IE offsets from ie_length, which can cause unsigned integer underflow.
In the Linux kernel, the bnxt_en driver has a NULL pointer dereference vulnerability. It occurs when PCIe error recovery runs on a closed network interface, and bnxt_io_error_detected() accesses the uninitialized bp->bnapi structure.
In the Linux kernel IB/isert driver, a missing lower bound check on iSER login PDU length allows a remote initiator to send a packet shorter than 76 bytes, causing signed integer underflow and out-of-bounds memory access, crashing the target node.
A use-after-free vulnerability was found in the Linux kernel's IP fragment reassembly mechanism. During network namespace teardown, fqdir_pre_exit() flushes fragment queues without resetting q->fragments_tail and q->last_run_head pointers, which still reference freed skb buffers. This can cause memory corruption when another thread resumes processing on an already flushed queue.
In the Linux kernel, a vulnerability was found in the overlayfs mechanism where ovl_iterate_merged() incorrectly stores PTR_ERR(cache) in the err variable before checking if cache is valid. On successful ovl_cache_get(), err holds a truncated pointer that can be returned as a bogus non-zero error, leading to incorrect directory read operations.
In the Linux kernel, the accel/ethosu driver has a heap out-of-bounds write vulnerability in ethosu_gem_cmdstream_copy_and_validate(). The command parsing loop fails to re-check the buffer bound after incrementing the index for 64-bit commands, allowing userspace to write past the allocated DMA buffer.
In the Linux kernel driver for Ethos-U accelerator (accel/ethosu), a vulnerability was found in the command stream parser. The NPU_SET_IFM_REGION function uses a 0x7f mask instead of 0x7, allowing out-of-bounds indexing of the region_size[] array (size 8). A userspace attacker can craft a call to write past the allocated buffer, corrupting adjacent kernel heap data.
In the Linux kernel, the accel/ethosu driver contains arithmetic issues in the dma_length() function. Incorrect arithmetic operations can cause integer overflows, bypassing GEM buffer access validation.
In the Linux kernel, the accel/ethosu driver has a vulnerability due to uninitialized DMA length. If userspace omits setting the DMA length before starting a transfer, the driver uses an uninitialized value (U64_MAX), leading to bypass of bounds checks and execution of DMA with stale physical addresses.
In the Linux kernel's accel/ethosu driver, the NPU_OP_RESIZE command, which is U85-only, is not yet implemented. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, it triggers a WARN_ON(1), causing unbounded kernel log spam. If panic_on_warn is set, the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive.
A vulnerability was found in the Linux kernel's FUSE filesystem, allowing the FUSE daemon to perform pagecache write/read operations on directories. The FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE operations were accepted for directories, potentially triggering WARN_ON() in fuse_parse_cache() when bogus data is present in the cache. The fix rejects these operations for anything other than regular files with -EINVAL.
In the Linux kernel, a vulnerability was found in the FUSE filesystem where FUSE_NOTIFY_RETRIEVE requests could return data from non-uptodate folios containing uninitialized data. This affects systems without automatic zero-initialization of page allocations (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1).
This CVE has been rejected or withdrawn by its CVE Numbering Authority.
In the Linux kernel, a race condition in iomap error handling for buffered reads can cause a NULL pointer dereference. Decrementing read_bytes_pending before error reporting allows another thread to complete the folio and detach it, leading to a crash.
In the Linux kernel, a vulnerability in the IOMMU/DMA subsystem causes iommu_dma_iova_link_swiotlb() to attempt mapping a zero-length region, leading to iommu_map() failure and mapping corruption. This is frequently triggered by Thunderbolt NVMe drives forcing SWIOTLB for unaligned memory.
A vulnerability was found in the Linux kernel's rtmutex locking mechanism, where remove_waiter() can be called for a non-enqueued waiter, leading to a NULL pointer dereference. The issue occurs during FUTEX_CMP_REQUEUE_PI operations when the waiter is not properly registered in the wait queue.
In the Linux kernel, a vulnerability in memcg's refill_stock uses get_random_u32_below() which is unsafe in NMI context, potentially corrupting the ChaCha batch state. The fix replaces random selection with a per-CPU round-robin counter.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. When the user closes the file descriptor, the fastrpc_user structure is freed, but a workqueue may still access the freed memory, leading to a security issue.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. The fastrpc_map_lookup function returns a raw pointer after releasing the lock, and the caller fastrpc_map_create attempts to increment the reference count on this unprotected pointer. A concurrent MEM_UNMAP operation can free the map between the lock release and the increment, leading to use-after-free.
In the Linux kernel, the misc: fastrpc driver has a vulnerability due to misuse of find_vma(). When a user pointer falls in a gap before the returned VMA, the DMA address offset calculation underflows, corrupting the DMA address sent to the DSP.

