CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A vulnerability related to a memory leak when destroying a device in the MT76 driver has been fixed in the Linux kernel. The issue affects all MT76 rx queues that have an associated page_pool, even if they are not linked to NAPI.
A vulnerability has been identified in the Linux kernel that could lead to a deadlock in the mt7925_roc_abort_sync function. The issue occurred when this function attempted to cancel work that was already holding a mutex, leading to a blockage.
A vulnerability has been identified in the Linux kernel related to a memory leak in the mt76_connac_mcu_alloc_sta_req() function. If intermediate functions fail, the allocated memory is not freed, leading to a leak.
A potential deadlock was found in the Linux kernel's mt7921 driver in the mt7921_roc_abort_sync function. The issue occurs when cancel_work_sync() is called while roc_work() holds dev->mt76.mutex, causing both threads to block indefinitely.
A vulnerability in the Linux kernel has been fixed that led to a deadlock in the mt76_remain_on_channel() and mt76_roc_complete() functions. The issue was caused by double acquisition of the dev->mutex during the mt76_set_channel() call.
A vulnerability in the Linux kernel related to the incorrect use of the CONFIG_CFI_CLANG option, which has been renamed to CONFIG_CFI, has been resolved. Using the wrong name can lead to the code being compiled out, resulting in CFI failures for btf_dtor_kfunc_t.
A vulnerability has been identified in the Linux kernel related to use-after-free bugs in the mt7915_mac_dump_work() function. The issue occurs when the mt7915 PCI chip is detached, and the crash_data is released while the dump_work task may still be running or pending.
A vulnerability has been identified in the Linux kernel related to use-after-free bugs in the mt7996_mac_dump_work() function. The issue occurs when the mt7996 PCI chip is being detached, and the crash_data is released while the dump_work task may still be running or pending.
A vulnerability was found in the Linux kernel's dev_map_redirect_multi() function for the SKB path in BPF. Using unsafe hlist_for_each_entry_safe() instead of hlist_for_each_entry_rcu() can cause data races on weakly-ordered architectures (ARM64, POWER).
A vulnerability in the Linux kernel was identified that allowed the abuse of the kprobe mechanism in conjunction with freplace, enabling modification of the pt_regs structure. This issue occurred when uprobe programs could change register values during kernel function calls.
A use-after-free vulnerability was found in the Linux kernel's BPF subsystem, where the offload->prog pointer becomes stale after constant blinding during JIT compilation. When a dev-bound-only BPF program is cloned and replaced, the offload->prog pointer is not updated, leading to a page fault when the network namespace is destroyed.
A vulnerability has been identified in the Linux kernel due to the lack of error pointer checks in the brcmf_chip_add_core() function. This could lead to dereferencing an error pointer, jeopardizing system stability.
A vulnerability was found in the Linux kernel's BPF mechanism related to incorrect delta tracking of registers when the source and destination registers are the same. In the adjust_reg_min_max_vals() function, in-place modification of the register before reading the source value leads to an incorrect delta, which is propagated to linked registers, causing a verifier-vs-runtime mismatch.
A vulnerability was found in the Linux kernel's qdisc_pkt_len_segs_init() function, which did not ensure that GSO packet headers are in the skb->head buffer. This can lead to incorrect behavior of network drivers expecting headers in this buffer and allow an attacker to send malicious packets causing system crashes.
A vulnerability was found in the Linux kernel's BPF verifier regarding ld_{abs,ind} instructions used in subprograms. On packet data load failure, the verifier did not simulate the abnormal exit path, potentially leading to incorrect control flow analysis.
A vulnerability has been identified in the Linux kernel related to use-after-free in the context of offloaded BPF maps and programs. The issue occurs when querying info, as the network namespace reference count may reach zero, leading to a use-after-free error.
In the Linux kernel, an off-by-one vulnerability was found in the bcmgenet driver's bcmgenet_put_txcb function. The write_ptr points to the next free tx_cb, but the function returned it before rewinding the pointer, causing incorrect cleanup of transmission buffers.
In the Linux kernel, the bcmgenet driver has a vulnerability where free buffer descriptors (free_bds) leak during TX queue reclaim. Fast-forwarding the write pointer skips returning dropped frames to the free pool, leading to resource exhaustion.
In the Linux kernel, a race condition was found in the bcmgenet driver's timeout handler. The handler aggressively stopped all transmit queues when only one queue timed out, causing race conditions with other active queues.
A vulnerability was found in the Linux kernel's open-coded task_vma iterator in BPF. The iterator reads task->mm without locking and does not increment the mm_struct reference count, leading to a use-after-free when the task exits concurrently.

