CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
In the Linux kernel, a vulnerability was found in the virtio-gpu driver. When the driver is built with KMS (Kernel Mode Setting) disabled, it does not initialize DRM atomic and modesetting structures. This leads to accessing uninitialized data during driver removal or unbinding, causing a kernel crash.
A bug in the Rust compiler causes the -Cforce-unwind-tables=y flag to emit uwtable annotation only for functions, not for the module. This leads to incorrect DWARF information for KASAN constructors, causing boot failures when CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled.
A vulnerability in the Linux kernel's KVM caused a false WARN when marking a page as dirty while the VM is dying. This primarily affects SEV-ES guests where KVM keeps a writable mapping of a guest page after an exit to userspace and tries to unmap it during vCPU destruction, triggering the warning. The fix modifies the WARN condition to only trigger when the VM is still alive.
In the Linux kernel pinctrl mcp23s08 driver, a NULL pointer dereference vulnerability occurs during probe. The issue is caused by uninitialized mcp->dev and mcp->addr fields before regmap_init, leading to a NULL pointer dereference during SPI read.
In the Linux kernel, a vulnerability was found in the KASAN mechanism for ARM architecture. Incorrect use of ldr instruction (instead of ldrb) for reading the VMAP stack shadow causes an alignment fault on ARMv5, leading to a system crash before initialization.
In the Linux kernel for ARM64, the pagetable_dtor() call was missing when freeing hot-removed page table pages. This caused bad page states, PTL allocation leaks, and incorrect NR_PAGETABLE statistics.
A use-after-free (UAF) vulnerability was found in the Linux kernel's may_decode_fh() function in the fhandle mechanism. The issue arises from reading the mount::mnt_ns field without proper locking, allowing a race condition during unmounting and freeing of the mount namespace. An attacker could exploit this to leak data, cause an infinite loop, or crash the kernel.
In the Linux kernel, the i2c-imx driver has a clock and pinctrl state inconsistency in runtime PM. If pinctrl sleep state transition fails during suspend, the clock remains disabled, causing a system crash on subsequent hardware access.
In the i2c-qcom-cci driver for the Qualcomm CCI controller, a NULL pointer dereference occurs during device unbinding or driver removal when only one of the two I2C masters is initialized. The cci_remove() function calls cci_halt() on all masters, but the completion object is only initialized for the enabled master, leading to a kernel crash.
In the Linux kernel, a vulnerability was found in the airoha network driver where airoha_qdma_init_hfwd_queues() calls of_reserved_mem_lookup() without checking for NULL return. This can lead to a NULL pointer dereference and system crash.
In the Linux kernel bonding driver, a NULL pointer dereference vulnerability exists in bond_do_ioctl(). The slave_dbg() call before the NULL check on slave_dev causes a kernel panic when a non-existent slave interface is used via ioctl.
In the Linux kernel, a vulnerability in the nvmem driver for ONIE-TLV layouts causes an infinite loop hang when encountering an unknown entry type (e.g., 0x41). The fix ensures offset incrementation for unknown types to break the loop.
In the Linux kernel, the DAMON_LRU_SORT module has a vulnerability due to missing error handling for damon_ctx allocation. The damon_lru_sort_enabled_store() function assumes allocation always succeeds, leading to a NULL pointer dereference when allocation fails.
In the Linux kernel, a vulnerability in DAMON_RECLAIM causes a NULL pointer dereference when damon_ctx allocation fails, as damon_reclaim_enabled_store() assumes allocation always succeeds. This can lead to system crashes.
In the Linux kernel, the mincore_swap() function incorrectly checked the !CONFIG_SWAP guard before handling non-swap entries (migration, hwpoison, shmem swapin-error). This caused spurious WARN messages and incorrect reporting of pages as non-resident on !CONFIG_SWAP kernels with CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE enabled.
In the Linux kernel slimbus qcom-ngd-ctrl driver, callbacks are registered before the NGD (Next Generation Device) is created, causing them to operate on uninitialized data and leading to boot failures on affected boards.
In the Qualcomm slimbus driver (qcom-ngd-ctrl), a potential deadlock was found due to reversed locking order of tx_lock and ctrl->lock. During SSR/PDR down notification, tx_lock is taken and then slim_report_absent() tries to acquire ctrl->lock, causing a lock inversion and possible deadlock.
In the Linux kernel, a vulnerability was found in the DRM driver for AMD Display, specifically an out-of-bounds read in dp_get_eq_aux_rd_interval(). The aux_rd_interval array in struct dc_lttpr_caps was declared with 7 elements, but the offset parameter can be 8 when a sink reports 8 LTTPR repeaters, causing a read beyond allocated memory.
In the Linux kernel, the AMD Display driver's dal_vector_reserve() function uses uint32_t arithmetic for allocation size calculation, which can silently wrap to a small value on overflow. This leads to a smaller buffer being allocated via krealloc(), causing heap overflows on subsequent vector appends.
A WARN warning was triggered in the Linux kernel's scx_cgroup_move_task() during task migration by the sched_ext scheduler. The issue occurs when systemd modifies subtree_control and cgrp_moving_from is NULL, which is a legitimate CSS-only migration, not a missing preparation. The warning has been removed to prevent false alarms.

