CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
A use-after-free vulnerability was found in the Linux kernel in functions that fill info for offloaded BPF maps or programs. During info queries, the functions obtained a network namespace reference that could already be freed, leading to memory corruption.
In the Linux kernel, an off-by-one error was found in the bcmgenet driver's bcmgenet_put_txcb function. The write_ptr points to the next free tx_cb, but the function returned the wrong element, causing incorrect cleanup of transmission buffers.
In the Linux kernel, a vulnerability in the bcmgenet driver causes a leak of free buffer descriptors (free_bds) during TX queue reclaim. Fast-forwarding the write pointer drops frames without returning them to the free pool, leading to resource exhaustion.
In the Linux kernel, a vulnerability was found in the bcmgenet driver's timeout handler. The bcmgenet_timeout handler aggressively stopped all transmit queues when only a single queue timed out, causing numerous race conditions with other queues that were still operating normally.
In the Linux kernel, a vulnerability was found in the open-coded task_vma iterator in BPF. The iterator reads task->mm without locking and does not increment the mm_struct reference count, leading to a use-after-free when the task exits concurrently.
A vulnerability in the Linux kernel's BPF task_vma iterator causes a lock ordering issue between vm_lock, i_rwsem, and mmap_lock. The fix snapshots the VMA under the per-VMA lock and releases the lock before returning data to the BPF program.
A vulnerability in the Linux kernel causes an RCU stall in bpf_fd_array_map_clear(). Missing cond_resched() in the loop processing PROG_ARRAY maps with many entries leads to system hangs under load.
In the Linux kernel's 6pack (hamradio) driver, an uninit-value read vulnerability was found in the sixpack_receive_buf function. The function fails to properly skip bytes with TTY error flags, causing processing of data that should have been discarded.
A vulnerability in the Linux kernel's BPF verifier allows incorrect state comparison for scalar registers with the BPF_ADD_CONST flag due to missing base ID consistency checks. This can lead to state pruning succeeding erroneously, potentially bypassing security checks.
In the Linux kernel, a vulnerability in the cls_fw classifier allows a filter to be published to the datapath before its change() function is called, leading to a NULL pointer dereference when an invalid old-style filter is used.
A vulnerability in the Linux kernel causes a memory leak of socket buffers (skb) during deferred packet drops in qdiscs. The issue occurs when the root qdisc does not implement the TCQ_F_DEQUEUE_DROPS flag, leaving packets stranded on the child's local to_free list without being freed.
In the Linux kernel, a vulnerability in the BPF sock_ops mechanism causes the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros to fail to zero the destination register when dst_reg equals src_reg. This results in stack out-of-bounds reads and kernel pointer leaks.
A vulnerability in the Linux kernel's RDS/IB module prevents it from functioning correctly in network namespaces other than the initial one. This restricts RDS/IB usage to the initial network namespace only.
An out-of-bounds read occurs in the Linux kernel when copying data from a BPF_MAP_TYPE_CGROUP_STORAGE map to another per-CPU map with the same value_size that is not rounded up to 8 bytes. The pcpu_initValue function incorrectly assumes the source data is 8-byte aligned, leading to OOB access.
In the Linux kernel, a vulnerability in the PPP driver allows a local unprivileged user to perform administrative ioctls (such as PPPIOCNEWUNIT, PPPIOCATTACH, PPPIOCATTCHAN) in an inherited network namespace while only having CAP_NET_ADMIN in a newly created user namespace. The fix requires CAP_NET_ADMIN in the user namespace that owns the target network namespace.
A vulnerability in the Linux kernel's bpf_prog_test_run_skb function allowed access to IP headers even when test input contained only an Ethernet header. Lack of IPv4/IPv6 header length checks could lead to out-of-bounds read.
In the Linux kernel Bluetooth HCI UART driver, a vulnerability exists where the HCI_UART_PROTO_INIT flag is not cleared after a failed HCI device registration. This allows incoming UART data to be processed by the protocol handler after resources are freed, leading to a null pointer dereference.
In the Linux kernel, a vulnerability was found in the Bluetooth stack where hci_conn_request_evt() calls hci_connect_cfm() without holding the hdev->lock, potentially leading to a use-after-free (UAF) if the connection is deleted concurrently.
In the Linux kernel, the Bluetooth L2CAP subsystem lacked a channel lock in the l2cap_ecred_reconf_rsp() function. A remote BLE device can send a crafted ECRED reconfiguration response, corrupting the channel list while another thread iterates it.
A vulnerability in the Linux kernel's SCTP over UDP implementation causes functions udp_tunnel_xmit_skb() to run without disabling bottom halves (BH), potentially moving context between CPUs and breaking recursion counters. This leads to incorrect recursion detection and packet drops, severely degrading SCTP throughput.

