CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-53043
Critical

In the Linux kernel's OCFS2 filesystem and its DLM (Distributed Lock Manager) component, a vulnerability was found due to missing validation of the `qr_numregions` field in the `dlm_match_regions()` function. An attacker can send a crafted DLM_QUERY_REGION network message with an inflated `qr_numregions` value, causing an out-of-bounds read past the 1024-byte `qr_regions` buffer.

CVE-2026-53026
High

In the Linux kernel's NFSD subsystem, a bug in nfsd4_add_rdaccess_to_wrdeleg causes an unnecessary increment of the nfs4_file access count. When another thread already set fp->fi_fds[O_RDONLY], calling __nfs4_file_get_access again leads to an extra count, preventing the nfsd_file object from being freed. Stopping the NFS server service triggers a BUG in kmem_cache_destroy() due to these extra counts.

CVE-2026-53010
Critical

A use-after-free vulnerability was found in the Linux kernel's ksmbd module in the smb2_open function during durable reconnect. Premature release of the file descriptor reference leads to accessing freed memory when an error occurs or a scavenger accesses the file.

CVE-2026-53006
Critical

A vulnerability was found in the Linux kernel's icmpv6_rcv() function for IPv6. Caching source and destination addresses before calling pskb_pull() may lead to a use-after-free (UAF) due to changes in the skb->head pointer.

CVE-2026-53003
High

A vulnerability in the Linux kernel's PPPoE driver drops frames with Protocol Field Compression (PFC). An attacker can send a crafted frame with a 1-byte protocol field, causing data shift and potential unaligned access exceptions on some architectures.

CVE-2026-53002
Critical

In the Linux kernel netfilter/conntrack subsystem, a stack-out-of-bounds write vulnerability was found in the mangle_content_len function. The fix replaces unsafe sprintf with scnprintf and increases buffer size.

CVE-2026-52999
Critical

In the Linux kernel, a vulnerability in the netfilter nfnetlink_osf module causes an out-of-bounds read during TCP option matching. The issue occurs because the shared ctx->optp pointer is not restored after early return in nf_osf_match_one(), leading to garbage reads when logging all matches.

CVE-2026-52998
High

In the Linux kernel, a vulnerability was found in the netfilter nfnetlink_osf module, where the nf_osf_ttl() function accessed the network interface pointer (skb->dev) without validation, potentially causing a NULL pointer dereference. The TTL check logic also relied on an incorrect subnet assumption, unreliable in container and virtual switching environments.

CVE-2026-52993
Critical

In the Linux kernel, a double-free vulnerability was found in the tipc_buf_append() function. The issue arises because tipc_msg_validate() may reallocate the skb buffer and free the old one, while a local variable held a copy of the original pointer. On validation failure, the original pointer was freed again.

CVE-2026-52989
Critical

In the Linux kernel's NVMe over TCP subsystem (nvmet-tcp), the nvmet_tcp_build_pdu_iovec() function failed to propagate errors to its callers when detecting an out-of-bounds PDU length or offset. Consequently, callers like nvmet_tcp_handle_h2c_data_pdu() overwrote the queue state and attempted to read network data into an uninitialized iterator, potentially leading to undefined behavior.

CVE-2026-52986
Critical

In the Linux kernel, the nf_conntrack_sip module replaced unsafe simple_strtoul usage with a new sip_parse_port() helper that validates each digit against the buffer limit. The previous code dereferenced pointers without bounds checks and relied on simple_strtoul on non-NUL-terminated skb data, which could lead to errors. Additionally, overly long digit sequences and port values outside the 1k-64k range are now rejected.

CVE-2026-52983
High

In the Linux kernel, a vulnerability in the airoha network driver causes a BQL (Byte Queue Limits) imbalance in the TX path. The issue arises from incorrect TX queue indexing, where inflight packets are accounted only for a subset of queues, while completions are accounted for all queues.

CVE-2026-52982
Critical

A use-after-free vulnerability was discovered in the Linux kernel's rtl8150 driver for USB Ethernet devices. The issue occurs when rtl8150_start_xmit() reads skb->len after calling usb_submit_urb(), while the skb buffer may be freed by the USB completion handler before the transmission completes.

CVE-2026-52981
High

In the Linux kernel, the neigh_xmit function leaks an skb when called with an uninitialized neighbor table (e.g., NEIGH_ND_TABLE with IPv6 disabled). The function did not free or transmit the packet in this path, leading to resource leak. The fix ensures full skb ownership and removes the last code path that does not xmit or free the skb.

CVE-2026-52974
High

A memory leak in the Linux kernel's TLS subsystem occurs when hardware offload setup fails. The cleanup function fails to free the anchor skb allocated by strparser. This issue was introduced after a change to the strparser implementation.

CVE-2026-52967
High

In the Linux kernel, the SMB client subsystem has a vulnerability causing an infinite loop and out-of-bounds read in the symlink_data() function. The issue occurs on 32-bit architectures where an invalid ErrorDataLength value can make the next pointer point to the start of the structure or beyond it.

CVE-2026-52960
High

In the Linux kernel, a vulnerability was found in the Ceph filesystem where folios not suitable for writeback were not released during batch processing. This caused a memory leak as references to folios were not properly freed.

CVE-2026-52958
Critical

In the Linux kernel, a potential out-of-bounds memory access vulnerability was found in the osdmap_decode() function of the libceph library. The issue is caused by an incorrect size check in ceph_decode_need() that accounts for only one element instead of map->max_osd elements, potentially leading to reads beyond the allocated buffer.

CVE-2026-52957
High

In the Linux kernel's libceph library, a null pointer dereference vulnerability was found during decoding of choose_args in the CRUSH map. The issue occurs when a crafted CEPH_MSG_OSD_MAP message contains a corrupted CRUSH map with a bucket index pointing to a non-existent (NULL) bucket, potentially causing a system crash.

CVE-2026-52956
High

In the Linux kernel's libceph library, a potential out-of-bounds memory access was found in the __ceph_x_decrypt() function. An attacker can send a crafted frame (e.g., FRAME_TAG_AUTH_REPLY_MORE) with a short ciphertext, causing access to the ceph_x_encrypt_header structure without verifying the buffer size.

PreviousPage 208 of 4562Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS