CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
In the Linux kernel's Bluetooth L2CAP subsystem, a vulnerability allows an unauthenticated BR/EDR peer within radio range to send a signaling packet larger than the allowed MTU (MTUsig). Such a packet can contain multiple ECHO_REQ commands, forcing the target device to send many ECHO_RSP responses, potentially leading to overload.
A deadlock vulnerability (AA deadlock) was found in the Linux kernel's memory failure handling. Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can cause a recursive spinlock self-deadlock on hugetlb_lock when racing with a concurrent unmap.
In the Linux kernel, the accel/ivpu driver now validates firmware runtime memory bounds. Missing bounds check could cause memory allocation and image transfer errors.
In the Linux kernel, the accel/ivpu driver now validates firmware log buffer read/write indices against buffer size. Missing bounds checks could allow out-of-bounds memory access when firmware supplies invalid indices.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the stratix10-rsu driver. The issue occurs when rsu_send_msg() returns -ETIMEDOUT and the code continues processing on a channel whose scl structure has already been cleared, leading to a NULL dereference in the svc kthread.
In the Linux kernel, a buffer overflow check was added in the accel/ivpu driver's get_info_ioctl function. Missing validation of the size returned by firmware could lead to copying data beyond the allocated buffer.
In the Linux kernel, the accel/ivpu driver has a vulnerability due to signed integer truncation in the IPC receive function. Large unsigned values (>= 0x80000000) supplied by firmware are cast to signed int, causing negative values and subsequent stack buffer overflow during memcpy.
In the Linux kernel, an optimization that skipped exec queue schedule toggle during suspend was reverted because it bypassed GuC suspend, preventing context switch TLB flush for invalidated userptr VMAs. This caused page faults in userptr invalidation tests in LR/preempt-fence VM mode.
A vulnerability was found in the Linux kernel's KVM for ARM64, affecting the handling of the XN[0] bit when FEAT_XNX is not supported. The bug incorrectly uses FIELD_PREP() on the mask that clears XN[0], unconditionally granting execute permissions.
In the Linux kernel, the hv_netvsc driver used phys_to_virt() for mapping memory pages, which on 32-bit x86 with CONFIG_HIGHMEM=y causes memory access faults and system crashes. The fix replaces phys_to_virt() with kmap_local_page() to correctly handle pages outside the kernel direct map.
In the Linux kernel, a use-after-free vulnerability was found in ksmbd related to a deferred file_lock during double SMB2_CANCEL. A second cancel for the same AsyncId triggers the cancel callback on already freed memory, leading to a security breach.
An ABBA deadlock was found in the Linux kernel's iptfs_destroy_state() function in the IPTFS (IPsec) implementation. The issue occurs when the function calls hrtimer_cancel() while holding a spinlock also required by the timer callback, leading to a deadlock on SMP systems.
A heap overflow vulnerability was found in the get_manuf_info() function of the Linux kernel's USB serial io_ti driver. The function reads data from a USB device with a size specified by the Size field, which is not properly validated before allocating the destination buffer. A malicious USB device can set the size to up to 16377 bytes, causing a heap overflow of up to 16367 bytes.
In the Linux kernel, a vulnerability in the USB serial io_ti driver was found where build_i2c_fw_hdr() allocates a fixed-size buffer but copies user-controlled length data (up to 65535 bytes) without validation, causing a heap overflow.
In the Linux kernel's kl5kusb105 USB serial driver, a bulk-out buffer overflow vulnerability was found. The klsi_105_prepare_write_buffer() function copies data from the fifo into a 64-byte buffer without accounting for the two-byte header, causing an out-of-bounds write.
In the Linux kernel, a use-after-free vulnerability was found in the ALSA timer subsystem. When a timer object is freed via snd_timer_free, slave timer instances still point to the freed object, leading to potential memory corruption. The bug is easily triggered with the new userspace-driven timers (CONFIG_SND_UTIMER).
A use-after-free (UAF) vulnerability was found in the snd_timer_user_params() function of the ALSA driver in the Linux kernel. The issue occurs when a user timer (CONFIG_SND_UTIMER) is being closed while another thread concurrently executes the SNDRV_TIMER_IOCTL_PARAMS ioctl, which was not protected by the register_mutex. The patch adds the missing synchronization to prevent the race condition.
In the Linux kernel's io_uring/net subsystem, a vulnerability was found due to improper inheritance of the IORING_CQE_F_BUF_MORE flag during bundle recv retries. The flag was missing from the CQE_F_MASK, causing it to be dropped and leading to incorrect buffer management by userspace.
In the Linux kernel, a dma_fence refcount leak was found in the virtio-gpu driver. The function virtio_gpu_dma_fence_wait() fails to release the chain reference on early return from the loop on error, causing a memory leak.
In the Linux kernel, a vulnerability was found in __split_huge_pmd_locked() where the file/shmem RSS counter was updated after dropping the folio reference. If folio_put() released the last reference, subsequent reads of folio state by mm_counter_file() could access freed memory.

