CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.16)
This CVE has been rejected or withdrawn by its CVE Numbering Authority.
In the Linux kernel, a race condition in iomap error handling for buffered reads can cause a NULL pointer dereference. Decrementing read_bytes_pending before error reporting allows another thread to complete the folio and detach it, leading to a crash.
In the Linux kernel, a vulnerability in the IOMMU/DMA subsystem causes iommu_dma_iova_link_swiotlb() to attempt mapping a zero-length region, leading to iommu_map() failure and mapping corruption. This is frequently triggered by Thunderbolt NVMe drives forcing SWIOTLB for unaligned memory.
A vulnerability was found in the Linux kernel's rtmutex locking mechanism, where remove_waiter() can be called for a non-enqueued waiter, leading to a NULL pointer dereference. The issue occurs during FUTEX_CMP_REQUEUE_PI operations when the waiter is not properly registered in the wait queue.
In the Linux kernel, a vulnerability in memcg's refill_stock uses get_random_u32_below() which is unsafe in NMI context, potentially corrupting the ChaCha batch state. The fix replaces random selection with a per-CPU round-robin counter.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. When the user closes the file descriptor, the fastrpc_user structure is freed, but a workqueue may still access the freed memory, leading to a security issue.
A use-after-free vulnerability was found in the Linux kernel's fastrpc driver. The fastrpc_map_lookup function returns a raw pointer after releasing the lock, and the caller fastrpc_map_create attempts to increment the reference count on this unprotected pointer. A concurrent MEM_UNMAP operation can free the map between the lock release and the increment, leading to use-after-free.
In the Linux kernel, the misc: fastrpc driver has a vulnerability due to misuse of find_vma(). When a user pointer falls in a gap before the returned VMA, the DMA address offset calculation underflows, corrupting the DMA address sent to the DSP.
A NULL pointer dereference was found in the Linux kernel's fastrpc driver during an rpmsg callback. The issue occurs when the DSP sends a message before fastrpc_channel_ctx initialization completes, causing a system crash.
In the Linux kernel, a vulnerability in the Phonet subsystem was found where phonet_device_destroy() removes a phonet_device from the per-net list using list_del_rcu() but frees it immediately, while RCU readers may still hold a pointer, leading to a slab-use-after-free.
A use-after-free vulnerability was found in the Linux kernel's NVMEM subsystem. Error handling paths incorrectly use the nvmem structure after freeing its memory, potentially leading to security breaches.
A vulnerability was found in the Linux kernel's set_pmd_migration_entry() function in mm/huge_memory.c. The function incorrectly uses pmd_write(), pmd_soft_dirty(), and pmd_uffd_wp() flags for device-private PMD entries, leading to incorrect marking of migration entries as writable. The issue was observed in the hmm.hmm_device_private.anon_write_child test, causing rmap state corruption and assertion failures.
A vulnerability in the Linux kernel's hugetlb reservation management was found. During hugetlb folio copy operations (e.g., UFFDIO_COPY or fork), error handling fails to restore the VMA reservation, causing a leak that can lead to SIGBUS on previously reserved addresses.
A vulnerability was found in the Linux kernel's list_lru mechanism during memcg reparenting. The xarray entry for a dying memcg is cleared before draining its per-node lists, allowing concurrent list_lru_del() operations to manipulate the same list items under different locks, causing list corruption.
In the Linux kernel MMC driver for old Rockchip controllers (rk2928, rk3066, rk3188), missing private data structure caused NULL-pointer dereference after adding memory clock auto-gating support. This affects Linux kernel.
In the Linux kernel's AF_RXRPC subsystem, a vulnerability was found in the ACK parser due to improper access to the SACK buffer in received UDP packets. The rxrpc_input_soft_acks() function modifies the skbuff and may incorrectly read data in case of packet fragmentation, potentially leading to parsing errors.
In the Linux kernel, the Thunderbolt driver's validator accepts property entries with zero length, causing a buffer underflow when null-terminating the text. This can lead to out-of-bounds memory write.
In the Linux kernel's Thunderbolt driver, a vulnerability was found due to missing bounds check for root directory content offset and length against block size. This can cause out-of-bounds memory read when processing properties.
In the Linux kernel Thunderbolt driver, a vulnerability was found where the XDomain response data copy length is not validated against the allocated buffer size. A malicious peer can set a length field larger than data_length, causing memcpy to write past the kcalloc allocation.
In the Linux kernel, a vulnerability in the Thunderbolt driver allows out-of-bounds reads because tb_xdp_handle_request() casts received packet buffers to protocol-specific structs without verifying the allocation is large enough. An attacker can send a minimal XDomain packet that passes the generic header length check but is shorter than the target struct.

