CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A NULL pointer dereference was found in the Linux kernel's fastrpc driver during an rpmsg callback. The issue occurs when the DSP sends a message before fastrpc_channel_ctx initialization completes, causing a system crash.
In the Linux kernel, a vulnerability in the Phonet subsystem was found where phonet_device_destroy() removes a phonet_device from the per-net list using list_del_rcu() but frees it immediately, while RCU readers may still hold a pointer, leading to a slab-use-after-free.
A use-after-free vulnerability was found in the Linux kernel's NVMEM subsystem. Error handling paths incorrectly use the nvmem structure after freeing its memory, potentially leading to security breaches.
A vulnerability was found in the Linux kernel's set_pmd_migration_entry() function in mm/huge_memory.c. The function incorrectly uses pmd_write(), pmd_soft_dirty(), and pmd_uffd_wp() flags for device-private PMD entries, leading to incorrect marking of migration entries as writable. The issue was observed in the hmm.hmm_device_private.anon_write_child test, causing rmap state corruption and assertion failures.
A vulnerability in the Linux kernel's hugetlb reservation management was found. During hugetlb folio copy operations (e.g., UFFDIO_COPY or fork), error handling fails to restore the VMA reservation, causing a leak that can lead to SIGBUS on previously reserved addresses.
In the Linux kernel, a vulnerability in the list_lru mechanism during memcg reparenting was found. The xarray entry for a dying memcg is cleared before draining its per-node lists, allowing concurrent list_lru_del() operations to modify the same list nodes under different locks, leading to data structure corruption.
In the Linux kernel MMC driver for old Rockchip controllers (rk2928, rk3066, rk3188), missing private data structure caused NULL-pointer dereference after adding memory clock auto-gating support. This affects Linux kernel.
In the Linux kernel's AF_RXRPC subsystem, a vulnerability was found in the ACK parser due to improper access to the SACK buffer in received UDP packets. The rxrpc_input_soft_acks() function modifies the skbuff and may incorrectly read data in case of packet fragmentation, potentially leading to parsing errors.
In the Linux kernel, the Thunderbolt driver's validator accepts property entries with zero length, causing a buffer underflow when null-terminating the text. This can lead to out-of-bounds memory write.
In the Linux kernel's Thunderbolt driver, a vulnerability was found due to missing bounds check for root directory content offset and length against block size. This can cause out-of-bounds memory read when processing properties.
In the Linux kernel Thunderbolt driver, a vulnerability exists where the per-packet copy length derived from the XDomain response header is not validated against the allocated buffer size. A malicious peer can set a length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation.
In the Linux kernel, a vulnerability in the Thunderbolt driver allows out-of-bounds reads because tb_xdp_handle_request() casts received packet buffers to protocol-specific structs without verifying the allocation is large enough. An attacker can send a minimal XDomain packet that passes the generic header length check but is shorter than the target struct.
In the Linux kernel Thunderbolt subsystem, a vulnerability was found where tb_xdomain_copy() copies data from the XDomain response buffer without checking the actual frame size. A short response can cause reading beyond the valid DMA buffer area, exposing stale data from previous transactions.
A vulnerability was found in the Linux kernel's DRM GEM driver related to the change_handle ioctl operation. The issue stems from race condition bugs in the implementation, potentially leading to data races between GEM object close and handle change operations.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the DRM AMD KFD driver. The get_queue_ids() function returns NULL when usr_queue_id_array is NULL and num_queues is non-zero, causing a kernel panic.
A buffer overflow vulnerability was found in the Linux kernel's amdkfd driver during SDMA queue checkpoint/restore on GFX11. The bug is caused by incorrect assignment of checkpoint/restore functions for SDMA MQD type, using a structure size of 2048 bytes instead of 512, leading to data leaks or memory corruption.
In the Linux kernel, a bug in the DRM/XE driver causes an oops during suspend or shutdown when the display is absent. The issue stems from improper handling of the probe_display flag, which is not reset after detecting missing display via fuses, leading to display code being called on uninitialized mode config.
In the Linux kernel DRM driver for V3D, a reference counting issue was found in the global performance monitor. Functions SET_GLOBAL, CLEAR_GLOBAL, and perfmon deletion fail to release references properly, causing memory leaks.
A vulnerability in the Linux kernel's DRM V3D driver causes a virtual address (vaddr) mapping leak when processing indirect CSD buffers. If the workgroup count read from the buffer is zero, the v3d_rewrite_csd_job_wg_counts_from_indirect() function exits early without releasing the mappings of both buffers.
In the Linux kernel, a vulnerability was found in the DRM V3D driver due to missing validation of zero workgroup counts in indirect CSD jobs. Submitting a dispatch with a zero count in any dimension is invalid and may cause unexpected hardware behavior.

